Edit tour

Windows Analysis Report
wps_wid.cid-735916525.1730301987.exe

Overview

General Information

Sample name:	wps_wid.cid-735916525.1730301987.exe
Analysis ID:	1545519
MD5:	8d76bb0011099f752d1df93ad3f697f2
SHA1:	467d3da8b2fa7ff0d2958d30c3345c109647e09d
SHA256:	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772
Tags:	exeuser-Fuzzy
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	34
Range:	0 - 100

Signatures

Contains functionality to infect the boot sector

Drops large PE files

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

wps_wid.cid-735916525.1730301987.exe (PID: 5656 cmdline: "C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe" MD5: 8D76BB0011099F752D1DF93AD3F697F2)

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe (PID: 2548 cmdline: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_GB -D="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\user\AppData\Roaming" MD5: 4A300FA35A277A4BE0455ECEEF3B4FDB)

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe (PID: 6128 cmdline: "C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_GB" -D="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\user\AppData\Roaming" -msgwndname=wpssetup_message_48854E -curinstalltemppath=C:\Users\user\AppData\Local\Temp\wps\~4872e0\ MD5: 4A300FA35A277A4BE0455ECEEF3B4FDB)

ksomisc.exe (PID: 368 cmdline: "C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_GB MD5: 7680119F3DE2925404AE2615898AC605)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009CA920 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,CertGetNameStringW,CertGetNameStringW,CertGetNameStringW,CertFreeCRLContext,CertCloseStore,CryptMsgClose,CertGetNameStringW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,PathFileExistsW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,RegCloseKey,	5_2_009CA920
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00C0F0D0 ?replace@QString@kso_qt@@QAEAAV12@ABV12@0W4CaseSensitivity@Qt@2@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?isOverseasVersion@product@krt@@YA_NXZ,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,??4QString@kso_qt@@QAEAAV01@$$QAV01@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??YQString@kso_qt@@QAEAAV01@PBD@Z,??0QUrl@kso_qt@@QAE@ABVQString@1@W4ParsingMode@01@@Z,??0QNetworkRequest@kso_qt@@QAE@ABVQUrl@1@@Z,??1QUrl@kso_qt@@QAE@XZ,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,??0QByteArray@kso_qt@@QAE@PBDH@Z,?setRawHeader@QNetworkRequest@kso_qt@@QAEXABVQByteArray@2@0@Z,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,??0QByteArray@kso_qt@@QAE@PBDH@Z,?setRawHeader@QNetworkRequest@kso_qt@@QAEXABVQByteArray@2@0@Z,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,??0QLocale@kso_qt@@QAE@W4Language@01@W4Country@01@@Z,?currentDateTimeUtc@QDateTime@kso_qt@@SA?AV12@XZ,?toString@QLocale@kso_qt@@QBE?AVQString@2@ABVQDateTime@2@ABV32@@Z,??1QDateTime@kso_qt@@QAE@XZ,??0QChar@kso_qt@@QAE@UQLatin1Char@1@@Z,?arg@QString@kso_qt@@QBE?AV12@ABV12@HVQChar@2@@Z,??1QString@kso_qt@@QAE@XZ,??1QLocale@kso_qt@@QAE@XZ,?hash@QCryptographicHash@kso_qt@@SA?AVQByteArray@2@ABV32@W4Algorithm@12@@Z,?toHex@QByteArray@kso_qt@@QBE?AV12@XZ,?toBase64@QByteArray@kso_qt@@QBE?AV12@XZ,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??0QByteArray@kso_qt@@QAE@PBDH@Z,??0QByteArray@kso_qt@@QAE@PBDH@Z,?setRawHeader@QNetworkRequest@kso_qt@@QAEXABVQByteArray@2@0@Z,??1QByteArray@kso_qt@@QAE@XZ,??0QByteArray@kso_qt@@QAE@PBDH@Z,?setRawHeader@QNetworkRequest@kso_qt@@QAEXABVQByteArray@2@0@Z,??1QByteArray@kso_qt@@QAE@XZ,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,??0QByteArray@kso_qt@@QAE@PBDH@Z,?setRawHeader@QNetworkRequest@kso_qt@@QAEXABVQByteArray@2@0@Z,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,?sslConfiguration@QNetworkRequest@kso_qt@@QBE?AVQSslConfiguration@2@XZ,?setPeerVerifyMode@QSslConfiguration@kso_qt@@QAEXW4PeerVerifyMode@QSslSocket@2@@Z,?setSslConfiguration@QNetworkRequest@kso_qt@@QAEXABVQSslConfiguration@2@@Z,??1QSslConfiguration@kso_qt@@QAE@XZ,?post@QNetworkAccessManager@kso_qt@@QAEPAVQNetworkReply@2@ABVQNetworkRequest@2@ABVQByteArray@2@@Z,??0QEventLoop@kso_qt@@QAE@PAVQObject@1@@Z,??0QTimer@kso_qt@@QAE@PAVQObject@1@@Z,?quit@QEventLoop@kso_qt@@QAEXXZ,?finished@QNetworkReply@kso_qt@@QAEXXZ,?staticMetaObject@QNetworkReply@kso_qt@@2UQMetaObject@2@B,?connectImpl@QObject@kso_qt@@CA?AVConnection@QMetaObject@2@PBV12@PAPAX01PAVQSlotObjectBase@QtPrivate@2@W4ConnectionType@Qt@2@PBHPBU42@@Z,??1Connection@QMetaObject@kso_qt@@QAE@XZ,??1Connection@QMetaObject@kso_qt@@QAE@XZ,??1Connection@QMetaObject@kso_qt@@QAE@XZ,??1Connection@QMetaObject@kso_qt@@QAE@XZ,?timeout@QTimer@kso_qt@@QAEXUQPrivateSignal@12@@Z,?staticMetaObje	7_2_00C0F0D0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00C0EB50 ?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??0QString@kso_qt@@QAE@ABVQByteArray@1@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?shared_null@QListData@kso_qt@@2UData@12@B,?realloc@QListData@kso_qt@@QAEXH@Z,?shared_null@QListData@kso_qt@@2UData@12@B,?begin@QListData@kso_qt@@QBEPAPAXXZ,?end@QListData@kso_qt@@QBEPAPAXXZ,?toLower@QString@kso_qt@@QGBE?AV12@XZ,??1QString@kso_qt@@QAE@XZ,?cbegin@QByteArray@kso_qt@@QBEPBDXZ,?QStringList_join@QtPrivate@kso_qt@@YA?AVQString@2@PBVQStringList@2@PBVQChar@2@H@Z,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,?hash@QMessageAuthenticationCode@kso_qt@@SA?AVQByteArray@2@ABV32@0W4Algorithm@QCryptographicHash@2@@Z,?toHex@QByteArray@kso_qt@@QBE?AV12@XZ,?toBase64@QByteArray@kso_qt@@QBE?AV12@XZ,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,??0QChar@kso_qt@@QAE@UQLatin1Char@1@@Z,?arg@QString@kso_qt@@QBE?AV12@ABV12@HVQChar@2@@Z,?arg@QString@kso_qt@@QBE?AV12@ABV12@HVQChar@2@@Z,?fromUtf8@QString@kso_qt@@SA?AV12@ABVQByteArray@2@@Z,??0QChar@kso_qt@@QAE@UQLatin1Char@1@@Z,?arg@QString@kso_qt@@QBE?AV12@ABV12@HVQChar@2@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,	7_2_00C0EB50
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BA3B70 ??0QVariant@kso_qt@@QAE@ABV?$QMap@VQString@kso_qt@@VQVariant@2@@1@@Z,?fromVariant@QJsonDocument@kso_qt@@SA?AV12@ABVQVariant@2@@Z,??1QVariant@kso_qt@@QAE@XZ,?freeTree@QMapDataBase@kso_qt@@QAEXPAUQMapNodeBase@2@H@Z,?freeData@QMapDataBase@kso_qt@@SAXPAU12@@Z,?toJson@QJsonDocument@kso_qt@@QBE?AVQByteArray@2@W4JsonFormat@12@@Z,??0QString@kso_qt@@QAE@ABVQByteArray@1@@Z,??1QByteArray@kso_qt@@QAE@XZ,??0QUrl@kso_qt@@QAE@XZ,??0QNetworkRequest@kso_qt@@QAE@ABVQUrl@1@@Z,??1QUrl@kso_qt@@QAE@XZ,??1QUrl@kso_qt@@QAE@XZ,??0QUrl@kso_qt@@QAE@ABVQString@1@W4ParsingMode@01@@Z,?setUrl@QNetworkRequest@kso_qt@@QAEXABVQUrl@2@@Z,??1QUrl@kso_qt@@QAE@XZ,??0QByteArray@kso_qt@@QAE@PBDH@Z,??0QByteArray@kso_qt@@QAE@PBDH@Z,??0QByteArray@kso_qt@@QAE@PBDH@Z,?setRawHeader@QNetworkRequest@kso_qt@@QAEXABVQByteArray@2@0@Z,??1QByteArray@kso_qt@@QAE@XZ,??1QByteArray@kso_qt@@QAE@XZ,??0QString@kso_qt@@QAE@XZ,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,?aesEncrypt@KAesEncrypt@@SA_NABVQByteArray@kso_qt@@00AAVQString@3@@Z,??1QByteArray@kso_qt@@QAE@XZ,?toUtf8@QString@kso_qt@@QHAE?AVQByteArray@2@XZ,?post@QNetworkAccessManager@kso_qt@@QAEPAVQNetworkReply@2@ABVQNetworkRequest@2@ABVQByteArray@2@@Z,??1QByteArray@kso_qt@@QAE@XZ,?connect@QObject@kso_qt@@SA?AVConnection@QMetaObject@2@PBV12@PBD01W4ConnectionType@Qt@2@@Z,??1Connection@QMetaObject@kso_qt@@QAE@XZ,?start@QTime@kso_qt@@QAEXXZ,?shared_null@QHashData@kso_qt@@2U12@B,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,?free_helper@QHashData@kso_qt@@QAEXP6AXPAUNode@12@@Z@Z,??1QString@kso_qt@@QAE@XZ,??1QNetworkRequest@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QJsonArray@kso_qt@@QAE@XZ,	7_2_00BA3B70

Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a9ababca-9

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

EXE: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

EXE: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Jump to behavior

Uses 32bit PE files

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a software uninstall entry

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office

Jump to behavior

Creates install or setup log file

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

File created: C:\Users\user\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Jump to behavior

PE / OLE file has a valid certificate

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3767362095.00000000157B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\printsupport\windowsprintersupport.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\printsupport\windowsprintersupport.pdb## source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\platforms\qwindows.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014251000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\addons\yunkitapi\yunkitapi.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\imageformats\qsvg.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4126160918.000000006B153000.00000002.00000001.01000000.00000017.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\iconusers\qsvgicon.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?COMCTL32.dllWINHTTP.dllcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMLoad file into cachecrypto\x509\by_file.cunspecified certificate verification errorunable to get issuer certificateunable to get certificate CRLunable to decrypt certificate's signatureunable to decrypt CRL's signatureunable to decode issuer public keycertificate signature failureCRL signature failurecertificate is not yet validcertificate has expiredCRL is not yet validCRL has expiredformat error in certificate's notBefore fieldformat error in certificate's notAfter fieldformat error in CRL's lastUpdate fieldformat error in CRL's nextUpdate fieldout of memoryself signed certificateself signed certificate in certificate chainunable to get local issuer certificateunable to verify the first certificatecertificate chain too longcertificate revokedinvalid CA certificatepath length constraint exceededunsupported certificate purposecertificate not trustedcertificate rejectedsubject issuer mismatchauthority and subject key identifier mismatchauthority and issuer serial number mismatchkey usage does not include certificate signingunable to get CRL issuer certificateunhandled critical extensionkey usage does not include CRL signingunhandled critical CRL extensioninvalid non-CA certificate (has CA markings)proxy path length constraint exceededkey usage does not include digital signatureproxy certificates not allowed, please set the appropriate flaginvalid or inconsistent certificate extensioninvalid or inconsistent certificate policy extensionno explicit policyDifferent CRL scopeUnsupported extension featureRFC 3779 resource not subset of parent's resourcespermitted subtree violationexcluded subtree violationname constraints minimum and maximum not supportedapplication verification failureunsupported name constraint typeunsupported or invalid name constraint syntaxunsupported or invalid name syntaxCRL path validation errorPath LoopSuite B: certificate version invalidSuite B: invalid public key algorithmSuite B: invalid ECC curveSuite B: invalid signature algorithmSuite B: curve not allowed for this LOSSuite B: cannot sign P-384 with P-256Hostname mismatchEmail address mismatchIP address mismatchNo matching DANE TLSA recordsEE certificate key too weakCA certificate key too weakCA signature digest algorithm too weakInvalid certificate verification contextIssuer certificate lookup errorCertificate Transparency required, but no valid SCTs foundproxy subject name violationOCSP verification neededOCSP verification failedOCSP unknown certCertificate public key has explicit ECC parametersunknown certificate verification errorcrypto\asn1\x_info.ccrypto\pem\pem_info.cRSA P
Source:	Binary string: ucrtbase.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\rc_v12_i18n_202409_branch\Build\Release\WPSOffice\office6\addons\konlinesetup_xa\konlinesetup_xa.pdb source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\wpsuil.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\platforms\qdirect2d.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000013241000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\wpsupdate_res.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\styles\qwindowsvistastyle.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\wpsofficeicon.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A0C1A0 PathAddBackslashW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,SHGetSpecialFolderPathW,	5_2_00A0C1A0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A1C140 PathAddBackslashW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	5_2_00A1C140
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009D42F0 FindFirstFileW,PathFileExistsW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,GetLastError,FindClose,CopyFileW,lstrcmpW,FindNextFileW,	5_2_009D42F0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A34270 SHGetSpecialFolderPathW,CoInitialize,CoCreateInstance,FindFirstFileW,FindNextFileW,FindNextFileW,StrStrIW,StrStrIW,FindNextFileW,FindClose,CoUninitialize,	5_2_00A34270
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009CB6E0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	5_2_009CB6E0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009EFBA0 RegCloseKey,FindFirstFileW,MoveFileExW,MoveFileExW,FindNextFileW,FindClose,MoveFileExW,Concurrency::cancel_current_task,MoveFileExW,MoveFileExW,	5_2_009EFBA0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A37D60 RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,FindFirstFileW,FindNextFileW,FindClose,GetLastError,	5_2_00A37D60
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009EC0D0 FindFirstFileW,FindNextFileW,FindClose,CopyFileW,RegOpenKeyExW,RegSetValueExW,RegCloseKey,	5_2_009EC0D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00990160 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindClose,GetLastError,GetLastError,RemoveDirectoryW,MoveFileExW,GetLastError,FindClose,GetSystemDirectoryW,SetFileAttributesW,DeleteFileW,MoveFileExW,SetFileAttributesW,DeleteFileW,GetTickCount,MoveFileExW,MoveFileExW,lstrcmpW,FindNextFileW,__Init_thread_footer,	5_2_00990160
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A004A0 PathAddBackslashW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00A004A0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A5E890 SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,CoInitialize,CoCreateInstance,FindFirstFileW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,DeleteFileW,FindNextFileW,FindClose,CoUninitialize,	5_2_00A5E890
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009D5150 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_009D5150
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A3F6B0 PathFileExistsW,GetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,WritePrivateProfileStringW,WritePrivateProfileStringW,WritePrivateProfileStringW,WritePrivateProfileStringW,	5_2_00A3F6B0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_0098B710 FindFirstFileW,FindNextFileW,FindClose,	5_2_0098B710
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009C98F0 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	5_2_009C98F0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A3D8D0 FindFirstFileW,GetLastError,PathFileExistsW,CopyFileW,FindNextFileW,FindClose,PathFileExistsW,CopyFileW,GetLastError,GetLastError,	5_2_00A3D8D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A39BC0 PathFileExistsW,FindFirstFileW,lstrcmpW,lstrcmpW,CopyFileW,FindNextFileW,FindClose,	5_2_00A39BC0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A33EE0 FindNextFileW,StrStrIW,StrStrIW,CopyFileW,GetSystemDirectoryW,SHGetSpecialFolderPathW,CoInitialize,CoCreateInstance,FindFirstFileW,FindNextFileW,FindNextFileW,StrStrIW,StrStrIW,FindNextFileW,FindClose,CoUninitialize,	5_2_00A33EE0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009C9F70 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,DeleteFileW,FindClose,	5_2_009C9F70
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A924B0 memset,memset,GetVersionExW,wcscat_s,memset,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,??1QString@kso_qt@@QAE@XZ,?utf16@QString@kso_qt@@QBEPBGXZ,FindFirstFileW,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,?utf16@QString@kso_qt@@QBEPBGXZ,??1QString@kso_qt@@QAE@XZ,FindNextFileW,FindClose,??1QString@kso_qt@@QAE@XZ,	7_2_00A924B0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A89420 memset,wcsncpy,wcsncat,memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	7_2_00A89420
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9D6A0 ?shared_null@QListData@kso_qt@@2UData@12@B,memset,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?fromUtf8@QString@kso_qt@@SA?AV12@PBDH@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,?toNativeSeparators@QDir@kso_qt@@SA?AVQString@2@ABV32@@Z,??1QString@kso_qt@@QAE@XZ,?utf16@QString@kso_qt@@QBEPBGXZ,FindFirstFileW,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?fromUtf8@QString@kso_qt@@SA?AV12@PBDH@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,FindNextFileW,?shared_null@QListData@kso_qt@@2UData@12@B,?shared_null@QListData@kso_qt@@2UData@12@B,FindClose,??1QString@kso_qt@@QAE@XZ,	7_2_00A9D6A0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9A95C ??0QString@kso_qt@@QAE@PBD@Z,??1QString@kso_qt@@QAE@XZ,memmove,memset,wcscpy_s,_invalid_parameter_noinfo_noreturn,memset,memset,memset,GetVersionExW,memset,FindFirstFileW,??0QString@kso_qt@@QAE@XZ,?isOverseasVersion@product@krt@@YA_NXZ,??4QString@kso_qt@@QAEAAV01@PBD@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??1QString@kso_qt@@QAE@XZ,DeleteFileW,FindNextFileW,??1QString@kso_qt@@QAE@XZ,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	7_2_00A9A95C
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9BA70 FindClose,Sleep,memset,FindFirstFileW,FindClose,Sleep,	7_2_00A9BA70
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A92A40 ?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,?shared_null@QListData@kso_qt@@2UData@12@B,?isEmpty@QListData@kso_qt@@QBE_NXZ,?toNativeSeparators@QDir@kso_qt@@SA?AVQString@2@ABV32@@Z,??0QChar@kso_qt@@QAE@H@Z,?endsWith@QString@kso_qt@@QBE_NVQChar@2@W4CaseSensitivity@Qt@2@@Z,??YQString@kso_qt@@QAEAAV01@PBD@Z,?utf16@QString@kso_qt@@QBEPBGXZ,FindFirstFileW,FindNextFileW,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,?fromWCharArray@QString@kso_qt@@SA?AV12@PB_WH@Z,?QStringList_contains@QtPrivate@kso_qt@@YA_NPBVQStringList@2@ABVQString@2@W4CaseSensitivity@Qt@2@@Z,??1QString@kso_qt@@QAE@XZ,FindNextFileW,FindClose,??1QString@kso_qt@@QAE@XZ,	7_2_00A92A40
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00B07DB0 FindFirstFileW,_wcsnicmp,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,	7_2_00B07DB0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A97E40 memset,FindFirstFileW,DeleteFileW,FindNextFileW,memmove,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?isSupportRibbonScale@product@krt@@YA_NXZ,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,??1QString@kso_qt@@QAE@XZ,?shared_null@QHashData@kso_qt@@2U12@B,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,??0QChar@kso_qt@@QAE@UQLatin1Char@1@@Z,?arg@QString@kso_qt@@QBE?AV12@ABV12@HVQChar@2@@Z,?utf16@QString@kso_qt@@QBEPBGXZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,?shared_null@QHashData@kso_qt@@2U12@B,	7_2_00A97E40
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8DE50 memset,FindFirstFileW,memset,memset,_wcsicmp,memset,memset,_wcsnicmp,FindNextFileW,FindClose,	7_2_00A8DE50

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_009F75A0 GetTempPathW,PathAddBackslashW,GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,PathAddBackslashW,GetTickCount,

5_2_009F75A0

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\kappcustomwidget\static\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\kappcustomwidget\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\kappcustomwidget\static\css\	Jump to behavior

Networking

Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://120.131.9.220
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://120.131.9.220$
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3773294724.000000001558E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp, ksomisc.exe, 00000007.00000003.3795276373.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp, ksomisc.exe, 00000007.00000003.3795276373.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3773294724.000000001558E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp, ksomisc.exe, 00000007.00000003.3795276373.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp, ksomisc.exe, 00000007.00000003.3795276373.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dw-collect-debug.ksord.com)datesign_eventslocal
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.9.0dcsdk_eventv3.dbdcsdk_dpv3.data10C
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://en.ksupdate.com/errorreport/uphttps://en.ksupdate.com/errorreport/up-crashdmp
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://event.4wps.nethttps://event.wps.comcountryCodeFinishTaghttps://www.google-analytics.com/mp/co
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E1&d=kdcsdk_infoc/wps/client/appcountrycodelastupdate
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.di
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp, ksomisc.exe, 00000007.00000003.3795276373.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3773294724.000000001558E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp, ksomisc.exe, 00000007.00000003.3795276373.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3790893433.0000000001550000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://up.wps.kingsoft.com/wpsupdate2009
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wu005.kuaikuai.cn/wpsupdate
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wu005.kuaikuai.cn/wpsupdateoad
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766343833.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: https://account.wps.cn/healthy
Source: ksomisc.exe	String found in binary or memory: https://api.wps.com/pc/special/api/user/remove-data
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxSoftware
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://conf.psvr.wps.cn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsggc:51:0
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:51:0
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://deviceapi.wps.cn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://deviceapi.wps.cnclient_type=%1
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.ksupdate.com/errorreport/up
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://event.wps.comdynamicParamFinishTagt1_app_start_p_st_sv_app_gid_did_hdid3_aid_ut_rid_av_ch_db
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://http_.index.inicert_detailis_cached_fileverify_cert_failedKOnlineSetupImpl::__generateCacheF
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=&version=&chann
Source: ksomisc.exe	String found in binary or memory: https://phapi.wps.cn/api/v2/handle/setting
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qing.wps.cn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qing.wps.cne_id_type
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://qr.wps.cn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://qr.wps.cn/api/v3/channel
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s%1.vip.wpscdn.cn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s%1.vip.wpscdn.cnTTransportException:
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://s.wps.comshortLinkUrlshortlink/short-link/queryshort_link_code=geterr_signAuthorizationdevic
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sharefolder.wps.cn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sharefolder.wps.cn/api/v1/space/notify/ownerspace_owner_id
Source: ksomisc.exe	String found in binary or memory: https://switch.pcfg.cache.wpscdn.cn/wps_cdn_config/hashcalcswitch
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/distsrc/.execrashdmppidtidexp1IS_WPSO
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/package/SOFTWARE
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://website-prod.cache.wpscdn.com/pkgs/win/setup_XA_mui_Free.exeSOFTWARE
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wpsplus.com
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wpsplus.com/3rd/drive/api/v3/mine/team/link/%1with_corp_name=%1
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000014FDE000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766195637.0000000014FE6000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000014FDE000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3766195637.0000000014FE6000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/-(Gn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/Th
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/mp/collect?firebase_app_id=1:463244832315:android:fe82dee1e0f73e232
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google-analytics.com/mp/collecthttps://http:///Iphlpapi.dllGetNetworkParamsinternal_proc
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com:443/mp/collect?firebase_app_id=1:463244832315:android:fe82dee1e0f73
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4122341949.0000000015581000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wps.com
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wps.com/eula
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wps.com/eulaprivacy_policylicense_agreementlabelTitleMsg_Wps_OnlineSetup_TaskMsgMsg_Wps_
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wps.com/privacy-policy
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wps.com8

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\tmp\PDF\Security\Trustworthy\watl.bin

Jump to dropped file

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

File dump: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe.0.dr 252569368

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E64110 GetFileInformationByHandle,GetLastError,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtClose,	7_2_64E64110
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E643B0 GetFileInformationByHandle,GetLastError,GetCurrentProcess,NtAllocateVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,GetCurrentProcess,GetCurrentProcess,NtAllocateVirtualMemory,NtCreateSection,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtMapViewOfSection,NtClose,GetCurrentProcess,GetCurrentProcess,NtFreeVirtualMemory,	7_2_64E643B0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E64330 NtClose,GetCurrentProcess,NtUnmapViewOfSection,GetOverlappedResult,GetLastError,	7_2_64E64330
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E64E10 InitializeCriticalSection,NtQuerySystemInformation,GetSystemTimeAsFileTime,Sleep,GetSystemTimeAsFileTime,	7_2_64E64E10

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

Code function: 7_2_64E0B3F0: memset,GetSystemDirectoryW,GetLastError,__acrt_iob_func,_fprintf,CreateFileW,GetLastError,__acrt_iob_func,_fprintf,DeviceIoControl,GetLastError,__acrt_iob_func,_fprintf,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,strncpy_s,strncpy_s,strncpy_s,memset,CloseHandle,CloseHandle,

7_2_64E0B3F0

Detected potential crypto function

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A14280	5_2_00A14280
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A483A0	5_2_00A483A0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009FA6E0	5_2_009FA6E0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009CA920	5_2_009CA920
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00948C50	5_2_00948C50
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009DEFB0	5_2_009DEFB0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A5DD50	5_2_00A5DD50
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A2BF90	5_2_00A2BF90
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009F2080	5_2_009F2080
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009EC0D0	5_2_009EC0D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009BA110	5_2_009BA110
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C922AD	5_2_00C922AD
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A46230	5_2_00A46230
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00AB2200	5_2_00AB2200
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C3A3A0	5_2_00C3A3A0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A4A350	5_2_00A4A350
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C924DF	5_2_00C924DF
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C064F0	5_2_00C064F0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C86490	5_2_00C86490
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A60690	5_2_00A60690
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C2C680	5_2_00C2C680
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C14600	5_2_00C14600
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C40840	5_2_00C40840
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00BEA930	5_2_00BEA930
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00CBA918	5_2_00CBA918
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A38AB0	5_2_00A38AB0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00ABCA40	5_2_00ABCA40
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00CBAA38	5_2_00CBAA38
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A3CBB0	5_2_00A3CBB0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00BECBD0	5_2_00BECBD0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C40C40	5_2_00C40C40
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A5F080	5_2_00A5F080
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009810D0	5_2_009810D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00BF10D0	5_2_00BF10D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009BF000	5_2_009BF000
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00CB91F2	5_2_00CB91F2
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00BEB140	5_2_00BEB140
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009BB230	5_2_009BB230
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C893C6	5_2_00C893C6
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00985490	5_2_00985490
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A914D0	5_2_00A914D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009D5450	5_2_009D5450
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A2B580	5_2_00A2B580
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_0099B5B0	5_2_0099B5B0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009F95A0	5_2_009F95A0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A01530	5_2_00A01530
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00ABD660	5_2_00ABD660
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00987780	5_2_00987780
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00983730	5_2_00983730
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A63770	5_2_00A63770
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C9D720	5_2_00C9D720
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_0099D890	5_2_0099D890
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A978D0	5_2_00A978D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A63820	5_2_00A63820
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009BB850	5_2_009BB850
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00BE7840	5_2_00BE7840
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_0099B9C0	5_2_0099B9C0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C2D910	5_2_00C2D910
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A09AE0	5_2_00A09AE0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009D7A20	5_2_009D7A20
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009BFB00	5_2_009BFB00
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C2DB70	5_2_00C2DB70
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A61B60	5_2_00A61B60
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A89CB0	5_2_00A89CB0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_0099DC60	5_2_0099DC60
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009A3D10	5_2_009A3D10
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00CABEC0	5_2_00CABEC0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009D5FB0	5_2_009D5FB0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009ADF00	5_2_009ADF00
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C2BF60	5_2_00C2BF60
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1725C0	5_2_6B1725C0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B16D34E	5_2_6B16D34E
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B172200	5_2_6B172200
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B16E2BC	5_2_6B16E2BC
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B171970	5_2_6B171970
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B161810	5_2_6B161810
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B169610	5_2_6B169610
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B173570	5_2_6B173570
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1ECB30	5_2_6B1ECB30
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1D3B90	5_2_6B1D3B90
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1A4B80	5_2_6B1A4B80
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1BABF0	5_2_6B1BABF0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1A93E0	5_2_6B1A93E0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1CC220	5_2_6B1CC220
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1B3260	5_2_6B1B3260
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1EC2B0	5_2_6B1EC2B0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B19D940	5_2_6B19D940
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1D6140	5_2_6B1D6140
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1CC9A0	5_2_6B1CC9A0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BD5130	7_2_00BD5130
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BD00F0	7_2_00BD00F0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A88000	7_2_00A88000
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8D190	7_2_00A8D190
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00B952E0	7_2_00B952E0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00ABA580	7_2_00ABA580
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9C500	7_2_00A9C500
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BF9630	7_2_00BF9630
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BE4610	7_2_00BE4610
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BB3710	7_2_00BB3710
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00B75770	7_2_00B75770
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BB6850	7_2_00BB6850
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BE3A50	7_2_00BE3A50
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9EB40	7_2_00A9EB40
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00ADBCB0	7_2_00ADBCB0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00AC5CD0	7_2_00AC5CD0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BE4D30	7_2_00BE4D30
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00ADAEA0	7_2_00ADAEA0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00B8CEC0	7_2_00B8CEC0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00BE5E70	7_2_00BE5E70
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A97E40	7_2_00A97E40
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E12790	7_2_64E12790
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E0FC10	7_2_64E0FC10
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E1EFB0	7_2_64E1EFB0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E138B0	7_2_64E138B0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E0F9B0	7_2_64E0F9B0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E654F0	7_2_64E654F0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E55560	7_2_64E55560
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E643B0	7_2_64E643B0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E50310	7_2_64E50310
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E64E10	7_2_64E64E10
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E424A0	7_2_64E424A0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E414B0	7_2_64E414B0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E5C460	7_2_64E5C460
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E5F590	7_2_64E5F590
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E44560	7_2_64E44560
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E4453C	7_2_64E4453C

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: String function: 00B41EB0 appears 47 times
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: String function: 00B0E750 appears 69 times
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: String function: 00B10190 appears 83 times
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: String function: 00A8BF80 appears 221 times
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: String function: 00BB95A0 appears 71 times
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: String function: 64E451B0 appears 32 times
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: String function: 00B96C30 appears 39 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 00962170 appears 31 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 00C8FF12 appears 31 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 00984BF0 appears 41 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 0099C4B0 appears 205 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 00977830 appears 41 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 0095FAB0 appears 135 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 0099C180 appears 38 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 0095F420 appears 70 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 0097FBF0 appears 70 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 009D0EE0 appears 42 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 0095F7E0 appears 151 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 00C80430 appears 50 times
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: String function: 0095ECB0 appears 48 times

PE file contains executable resources (Code or Archives)

Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v1.0 to extract, compression method=store
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v1.0 to extract, compression method=store

PE file does not import any functions

Source: api-ms-win-core-console-l1-2-0.dll.5.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.5.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.5.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238651595.0000000000B37000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamekonlinesetup_xa.exe6 vs wps_wid.cid-735916525.1730301987.exe

Uses 32bit PE files

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: com.slnishinomiya.hyogo.jpkustanai.rucom.snpassenger-association.aerocom.sotsushima.nagasaki.jpcom.stuy.comx.seisa-geek.comcom.sv

Source: classification engine

Classification label: sus26.evad.winEXE@6/1037@0/3

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

Code function: 7_2_64E50310 memset,GetFileInformationByHandle,GetLastError,ReadFile,GetLastError,SleepEx,ReadFile,GetLastError,FormatMessageA,ReadFile,GetLastError,SleepEx,ReadFile,GetLastError,FormatMessageA,FormatMessageA,FormatMessageA,FormatMessageA,

7_2_64E50310

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009994B0 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,ExpandEnvironmentStringsW,GetFileAttributesW,RegUnLoadKeyW,RegUnLoadKeyW,RegLoadKeyW,RegOpenKeyExW,RegCloseKey,RegUnLoadKeyW,RegCloseKey,RegEnumKeyExW,RegCloseKey,		5_2_009994B0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009CB450 GetCurrentProcessId,ProcessIdToSessionId,ProcessIdToSessionId,OpenProcess,OpenProcessToken,CloseHandle,CloseHandle,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,		5_2_009CB450

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_009F1960 GetDiskFreeSpaceExW,GetModuleFileNameW,CreateFileW,GetFileSize,CloseHandle,

5_2_009F1960

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_009CC5B0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_009CC5B0

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00A34270 SHGetSpecialFolderPathW,CoInitialize,CoCreateInstance,FindFirstFileW,FindNextFileW,FindNextFileW,StrStrIW,StrStrIW,FindNextFileW,FindClose,CoUninitialize,

5_2_00A34270

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00A062F0 RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,FindResourceW,LoadResource,LockResource,SizeofResource,GetTempPathW,GetTickCount,GetTempFileNameW,CreateFileW,CloseHandle,WaitForSingleObject,GetLastError,Concurrency::cancel_current_task,

5_2_00A062F0

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

File created: C:\Users\user\AppData\Roaming\kingsoft

Jump to behavior

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7B585BD5-8E73-4058-B7DF-F46EE9AB43BC}KDCSDK_SEND_DEVICE_INFO_MUTEX
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Mutant created: \Sessions\1\BaseNamedObjects\6128installer
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Mutant created: \Sessions\1\BaseNamedObjects\2548installer
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Mutant created: \Sessions\1\BaseNamedObjects\_KHDID3MGR_3E67DFEF-DF4E-4CC6-9413-5F71C7C96C04
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Mutant created: \Sessions\1\BaseNamedObjects\{5BE9D8BC-AF60-4b40-A4D0-21F65B4F8788}
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\wpssetup_C42D7A0A-2868-45FF-92EE-9B7AE7124588
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Mutant created: \Sessions\1\BaseNamedObjects\KdcDBGlobalMutexC:_Users_user_AppData_Roaming_kingsoft_wps_dcsdk_cache.db
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Mutant created: \Sessions\1\BaseNamedObjects\_KHDIDMGR_3E67DFEF-DF4E-4CC6-9413-5F71C7C96C04
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Mutant created: \Sessions\1\BaseNamedObjects\KOnlinesetupMutexNew_EF472A88-E1D0-44DF-B44E-FF5186E43ADC
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7B585BD5-8E73-4058-B7DF-F46EE9AB43BC}KDCSDK_RESTORE_LOCK_MUTEX01a86845241d76e805eba1a3636fc13f
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Mutant created: \Sessions\1\BaseNamedObjects\__#_KCCSDK_WPS_PROCESS_EXIST_KEY_#__
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Mutant created: \Sessions\1\BaseNamedObjects\_#_UPD_LogFile_Z_MutxName_#_

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

File created: C:\Users\user\AppData\Local\Temp\konlinesetup

Jump to behavior

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

File read: C:\Users\user\AppData\Local\tempinstall.ini

Jump to behavior

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: Setup/InstallPathUnswitchable
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	String found in binary or memory: Product/LauncherName
Source: ksomisc.exe	String found in binary or memory: :/ksomisc/addinmgr.ico
Source: ksomisc.exe	String found in binary or memory: /comaddin/addinswl
Source: ksomisc.exe	String found in binary or memory: /comaddin/addinsbl
Source: ksomisc.exe	String found in binary or memory: :/ksomisc/loading.gif
Source: ksomisc.exe	String found in binary or memory: invalid page-address %p, offset %zi

Source: unknown	Process created: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe "C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe"
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process created: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_GB -D="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\user\AppData\Roaming"
Source: unknown	Process created: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe "C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_GB" -D="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\user\AppData\Roaming" -msgwndname=wpssetup_message_48854E -curinstalltemppath=C:\Users\user\AppData\Local\Temp\wps\~4872e0\
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe "C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_GB
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process created: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_GB -D="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\user\AppData\Roaming"	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe "C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_GB	Jump to behavior

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5winextraskso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5svgkso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5widgetskso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5guikso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5corekso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5guikso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5corekso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5guikso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5corekso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: qt5corekso.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5networkkso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5winextraskso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: fltlib.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5widgetskso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5guikso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5corekso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kshell.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: ksolite.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5guikso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5corekso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5corekso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5guikso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5corekso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5corekso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5svgkso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5xmlkso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: libcurl.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5corekso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: ksouil.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kbase.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kprometheus.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kdownload.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: krt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5corekso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: krt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kbase.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: libssl-kso-1_1.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: libcrypto-kso-1_1.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5svgkso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kbase.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: krt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: krt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msvcp140_codecvt_ids.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: libcrypto-kso-1_1.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: qt5svgkso.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: krt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kimalloc.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

File written: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a software uninstall entry

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office

Jump to behavior

PE / OLE file has a valid certificate

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: certificate valid

PE file has a big code size

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: wps_wid.cid-735916525.1730301987.exe

Static file information: File size 5806976 > 1048576

PE file has a big raw section

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3e3c00

PE file imports many functions

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: More than 200 imports for KERNEL32.dll

PE file contains a mix of data directories often seen in goodware

Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: wps_wid.cid-735916525.1730301987.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3767362095.00000000157B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\printsupport\windowsprintersupport.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\printsupport\windowsprintersupport.pdb## source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\platforms\qwindows.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014251000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\addons\yunkitapi\yunkitapi.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\imageformats\qsvg.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4126160918.000000006B153000.00000002.00000001.01000000.00000017.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\iconusers\qsvgicon.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.000000001328C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?COMCTL32.dllWINHTTP.dllcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMLoad file into cachecrypto\x509\by_file.cunspecified certificate verification errorunable to get issuer certificateunable to get certificate CRLunable to decrypt certificate's signatureunable to decrypt CRL's signatureunable to decode issuer public keycertificate signature failureCRL signature failurecertificate is not yet validcertificate has expiredCRL is not yet validCRL has expiredformat error in certificate's notBefore fieldformat error in certificate's notAfter fieldformat error in CRL's lastUpdate fieldformat error in CRL's nextUpdate fieldout of memoryself signed certificateself signed certificate in certificate chainunable to get local issuer certificateunable to verify the first certificatecertificate chain too longcertificate revokedinvalid CA certificatepath length constraint exceededunsupported certificate purposecertificate not trustedcertificate rejectedsubject issuer mismatchauthority and subject key identifier mismatchauthority and issuer serial number mismatchkey usage does not include certificate signingunable to get CRL issuer certificateunhandled critical extensionkey usage does not include CRL signingunhandled critical CRL extensioninvalid non-CA certificate (has CA markings)proxy path length constraint exceededkey usage does not include digital signatureproxy certificates not allowed, please set the appropriate flaginvalid or inconsistent certificate extensioninvalid or inconsistent certificate policy extensionno explicit policyDifferent CRL scopeUnsupported extension featureRFC 3779 resource not subset of parent's resourcespermitted subtree violationexcluded subtree violationname constraints minimum and maximum not supportedapplication verification failureunsupported name constraint typeunsupported or invalid name constraint syntaxunsupported or invalid name syntaxCRL path validation errorPath LoopSuite B: certificate version invalidSuite B: invalid public key algorithmSuite B: invalid ECC curveSuite B: invalid signature algorithmSuite B: curve not allowed for this LOSSuite B: cannot sign P-384 with P-256Hostname mismatchEmail address mismatchIP address mismatchNo matching DANE TLSA recordsEE certificate key too weakCA certificate key too weakCA signature digest algorithm too weakInvalid certificate verification contextIssuer certificate lookup errorCertificate Transparency required, but no valid SCTs foundproxy subject name violationOCSP verification neededOCSP verification failedOCSP unknown certCertificate public key has explicit ECC parametersunknown certificate verification errorcrypto\asn1\x_info.ccrypto\pem\pem_info.cRSA P
Source:	Binary string: ucrtbase.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\rc_v12_i18n_202409_branch\Build\Release\WPSOffice\office6\addons\konlinesetup_xa\konlinesetup_xa.pdb source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\wpsuil.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\platforms\qdirect2d.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000013241000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\wpsupdate_res.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.0000000016B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\rc_bug_mas_v12_2409\wpsenv\3rd\qt5\build_x86\qtbase\plugins\styles\qwindowsvistastyle.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: H:\pub_bh8f\rc_bug_mas_v12_2409\Build\Release\WPSOffice\office6\wpsofficeicon.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3752183714.000000001591E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668023522.0000000014F80000.00000004.00001000.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2668443885.0000000014298000.00000004.00000020.00020000.00000000.sdmp

PE file contains a valid data directory to section mapping

Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wps_wid.cid-735916525.1730301987.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: api-ms-win-core-console-l1-1-0.dll.5.dr

Static PE information: 0xF471666F [Wed Dec 16 02:48:15 2099 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_0098D6B0 LoadLibraryW,GetProcAddress,FreeLibrary,ExpandEnvironmentStringsW,FreeLibrary,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,Sleep,ExpandEnvironmentStringsW,RegCloseKey,FreeLibrary,FreeLibrary,

5_2_0098D6B0

PE file contains sections with non-standard names

Source: kshell.dll.5.dr	Static PE information: section name: .detourc
Source: kshell.dll.5.dr	Static PE information: section name: .detourd
Source: krpt.dll.5.dr	Static PE information: section name: .detourc
Source: krpt.dll.5.dr	Static PE information: section name: .detourd
Source: ksandbox.dll.5.dr	Static PE information: section name: .detourc
Source: ksandbox.dll.5.dr	Static PE information: section name: .detourd

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00CD2209 push ecx; ret		5_2_00CD221C
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8B255 push eax; retf		7_2_00A8B256

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

Code function: memset,GetSystemDirectoryW,GetLastError,__acrt_iob_func,_fprintf,CreateFileW,GetLastError,__acrt_iob_func,_fprintf,DeviceIoControl,GetLastError,__acrt_iob_func,_fprintf,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,strncpy_s,strncpy_s,strncpy_s,memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

7_2_64E0B3F0

Drops PE files

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kqingaccountsdk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksearchpanel\ksearchpanel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kshell.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krpt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksandbox\ksandbox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kscreengrab\kscreengrab.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksaddndr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksharedoc_xa\ksharedoc_xa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\diffbase\office6\mui\default\templates\printTemplate.pdf_bk (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kqingdlg\kqingdlg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\krecentfile\krecentfile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File created: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	File created: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Jump to dropped file

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009CA920 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,CertGetNameStringW,CertGetNameStringW,CertGetNameStringW,CertFreeCRLContext,CertCloseStore,CryptMsgClose,CertGetNameStringW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,PathFileExistsW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,RegCloseKey,	5_2_009CA920
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A54D00 GetPrivateProfileStringW,	5_2_00A54D00
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A0AD50 GetPrivateProfileStringW,	5_2_00A0AD50
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00978E30 GetPrivateProfileStringW,GetPrivateProfileStringW,	5_2_00978E30
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009F0F10 RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,GetPrivateProfileStringW,	5_2_009F0F10
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A15D90 SendMessageW,CreateSemaphoreW,ReleaseSemaphore,FindWindowW,GetPrivateProfileStringW,WritePrivateProfileStringW,GetTickCount,SendMessageW,SendMessageW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegDeleteValueW,RegCloseKey,SendMessageW,SendMessageW,RegOpenKeyExW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,RegCloseKey,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,PathQuoteSpacesW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,GetTickCount,WaitForSingleObject,	5_2_00A15D90
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A55E60 GetPrivateProfileStringW,	5_2_00A55E60
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A541E0 GetPrivateProfileStringW,	5_2_00A541E0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A46230 PathFileExistsW,GetPrivateProfileIntW,PathFileExistsW,	5_2_00A46230
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A54490 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	5_2_00A54490
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A54AA0 GetPrivateProfileStringW,GetPrivateProfileStringW,	5_2_00A54AA0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009BF000 LoadLibraryExW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,PathFileExistsW,	5_2_009BF000
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A574B0 GetPrivateProfileStringW,	5_2_00A574B0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A01530 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,WritePrivateProfileStringW,WritePrivateProfileStringW,WritePrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,	5_2_00A01530
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009BFB00 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetCommandLineW,WritePrivateProfileStringW,	5_2_009BFB00
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A61B60 RegOpenKeyExW,RegQueryValueExW,RegOpenKeyExW,RegCloseKey,RegQueryValueExW,RegCloseKey,MultiByteToWideChar,MultiByteToWideChar,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetSpecialFolderPathW,GetPrivateProfileStringW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,	5_2_00A61B60
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_0097FDB0 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,PathFileExistsW,DeleteFileW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	5_2_0097FDB0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009FFE10 GetPrivateProfileStringW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,	5_2_009FFE10
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00ABF220 _invalid_parameter_noinfo_noreturn,GetPrivateProfileStringW,GetPrivateProfileStringW,_invalid_parameter_noinfo_noreturn,	7_2_00ABF220
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00B03550 _invalid_parameter_noinfo_noreturn,memset,GetPrivateProfileStringW,_invalid_parameter_noinfo_noreturn,	7_2_00B03550
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00AF77F0 memset,memset,GetModuleFileNameW,wcsrchr,wcsncpy,GetPrivateProfileIntW,__Init_thread_footer,	7_2_00AF77F0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00AF39D0 _invalid_parameter_noinfo_noreturn,memset,GetPrivateProfileStringW,_invalid_parameter_noinfo_noreturn,	7_2_00AF39D0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8D190 _wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,GetPrivateProfileIntW,memset,memset,memset,memset,GetVersionExW,wcsrchr,??0QString@kso_qt@@QAE@XZ,??0QString@kso_qt@@QAE@XZ,??0QString@kso_qt@@QAE@XZ,??0QString@kso_qt@@QAE@XZ,??0QString@kso_qt@@QAE@XZ,	7_2_00A8D190
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9F2C0 ?isChecked@QAbstractButton@kso_qt@@QBE_NXZ,?isChecked@QAbstractButton@kso_qt@@QBE_NXZ,?isChecked@QAbstractButton@kso_qt@@QBE_NXZ,?isChecked@QAbstractButton@kso_qt@@QBE_NXZ,GetPrivateProfileIntW,WritePrivateProfileStringW,?tr@QMetaObject@kso_qt@@QBE?AVQString@2@PBD0H@Z,?tr@QMetaObject@kso_qt@@QBE?AVQString@2@PBD0H@Z,?tr@QMetaObject@kso_qt@@QBE?AVQString@2@PBD0H@Z,?information@QMessageBox@kso_qt@@SA?AW4StandardButton@12@PAVQWidget@2@ABVQString@2@1V?$QFlags@W4StandardButton@QMessageBox@kso_qt@@@2@W4312@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,	7_2_00A9F2C0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8E3D0 memset,memset,memset,memset,memset,memset,memset,_wcsicmp,_wcsicmp,memset,memset,wcsncpy,wcsncpy,wcsncpy,wcsrchr,memset,GetPrivateProfileStringW,_wcsicmp,wcscat_s,?utf16@QString@kso_qt@@QBEPBGXZ,?utf16@QString@kso_qt@@QBEPBGXZ,?utf16@QString@kso_qt@@QBEPBGXZ,	7_2_00A8E3D0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8D850 _wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,GetPrivateProfileIntW,memset,memset,memset,memset,GetVersionExW,wcsrchr,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,??0QString@kso_qt@@QAE@XZ,?isOverseasVersion@product@krt@@YA_NXZ,??4QString@kso_qt@@QAEAAV01@PBD@Z,??YQString@kso_qt@@QAEAAV01@PBD@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??1QString@kso_qt@@QAE@XZ,	7_2_00A8D850
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00AA2930 GetPrivateProfileIntW,WritePrivateProfileStringW,GetPrivateProfileIntW,WritePrivateProfileStringW,GetPrivateProfileIntW,WritePrivateProfileStringW,GetPrivateProfileIntW,WritePrivateProfileStringW,GetPrivateProfileIntW,WritePrivateProfileStringW,	7_2_00AA2930
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8CA20 ?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,_CxxThrowException,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,memset,memset,memset,GetVersionExW,memset,GetPrivateProfileStringW,??0QString@kso_qt@@QAE@XZ,?isSupportRibbonScale@product@krt@@YA_NXZ,?isSupportRibbonScale@product@krt@@YA_NXZ,memset,?isSupportRibbonScale@product@krt@@YA_NXZ,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,?trimmed@QString@kso_qt@@QHAE?AV12@XZ,??0QString@kso_qt@@QAE@$$QAV01@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,wcsncpy,?utf16@QString@kso_qt@@QBEPBGXZ,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,?utf16@QString@kso_qt@@QBEPBGXZ,??1QString@kso_qt@@QAE@XZ,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,??1QString@kso_qt@@QAE@XZ,?isSupportRibbonScale@product@krt@@YA_NXZ,wcsrchr,wcsrchr,??1QString@kso_qt@@QAE@XZ,	7_2_00A8CA20
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A92C20 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,_invalid_parameter_noinfo_noreturn,	7_2_00A92C20
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00AFAD00 ?endGroup@QSettings@kso_qt@@QAEXXZ,?setValue@QSettings@kso_qt@@QAEXABVQString@2@ABVQVariant@2@@Z,memset,GetPrivateProfileStringW,_invalid_parameter_noinfo_noreturn,?endGroup@QSettings@kso_qt@@QAEXXZ,memset,?endGroup@QSettings@kso_qt@@QAEXXZ,GetModuleFileNameW,?endGroup@QSettings@kso_qt@@QAEXXZ,?isOverseasVersion@product@krt@@YA_NXZ,??0KCommonSettings@krt@@QAE@W4Scope@QSettings@kso_qt@@@Z,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,?beginGroup@QSettings@kso_qt@@QAEXABVQString@2@@Z,?beginGroup@QSettings@kso_qt@@QAEXABVQString@2@@Z,??1QString@kso_qt@@QAE@XZ,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,?beginGroup@QSettings@kso_qt@@QAEXABVQString@2@@Z,??1QString@kso_qt@@QAE@XZ,??0QVariant@kso_qt@@QAE@H@Z,??0QVariant@kso_qt@@QAE@H@Z,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,?setValue@QSettings@kso_qt@@QAEXABVQString@2@ABVQVariant@2@@Z,?setValue@QSettings@kso_qt@@QAEXABVQString@2@ABVQVariant@2@@Z,?setValue@QSettings@kso_qt@@QAEXABVQString@2@ABVQVariant@2@@Z,??1QString@kso_qt@@QAE@XZ,??1QVariant@kso_qt@@QAE@XZ,??1QVariant@kso_qt@@QAE@XZ,??0QVariant@kso_qt@@QAE@H@Z,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,?setValue@QSettings@kso_qt@@QAEXABVQString@2@ABVQVariant@2@@Z,?setValue@QSettings@kso_qt@@QAEXABVQString@2@ABVQVariant@2@@Z,??1QString@kso_qt@@QAE@XZ,??1QVariant@kso_qt@@QAE@XZ,?endGroup@QSettings@kso_qt@@QAEXXZ,?endGroup@QSettings@kso_qt@@QAEXXZ,?endGroup@QSettings@kso_qt@@QAEXXZ,??1KWpsCloudSvrSettings@krt@@UAE@XZ,	7_2_00AFAD00

Creates install or setup log file

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

File created: C:\Users\user\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Jump to behavior

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

7_2_64E0B3F0

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_009F95A0 SHGetSpecialFolderPathW,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegDeleteValueW,RegDeleteValueW,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegDeleteValueW,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,RegOpenKeyExW,RegCloseKey,RegCloseKey,RegDeleteValueW,RegCloseKey,RegCloseKey,

5_2_009F95A0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00C2A610 GetLastError,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,ProcessIdToSessionId,OpenProcess,OpenProcessToken,CloseHandle,CloseHandle,RegOpenCurrentUser,RevertToSelf,

5_2_00C2A610

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Window / User API: threadDelayed 630			Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Window / User API: foregroundWindowGot 622			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kqingaccountsdk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksearchpanel\ksearchpanel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krpt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksandbox\ksandbox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kscreengrab\kscreengrab.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksaddndr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksharedoc_xa\ksharedoc_xa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\diffbase\office6\mui\default\templates\printTemplate.pdf_bk (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kqingdlg\kqingdlg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\krecentfile\krecentfile.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_5-118076

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe TID: 2036

Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

Code function: 7_2_64E64E10 GetSystemTimeAsFileTime followed by cmp: cmp ebp, 04h and CTI: jbe 64E6530Bh

7_2_64E64E10

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File Volume queried: C:\Users\user\Desktop\wps_download FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File Volume queried: C:\Users\user\Desktop\wps_download FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File Volume queried: C:\Users\user\Desktop\wps_download FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	File Volume queried: C:\Users\user\Desktop\wps_download FullSizeInformation

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A0C1A0 PathAddBackslashW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,SHGetSpecialFolderPathW,	5_2_00A0C1A0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A1C140 PathAddBackslashW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	5_2_00A1C140
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009D42F0 FindFirstFileW,PathFileExistsW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,GetLastError,FindClose,CopyFileW,lstrcmpW,FindNextFileW,	5_2_009D42F0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A34270 SHGetSpecialFolderPathW,CoInitialize,CoCreateInstance,FindFirstFileW,FindNextFileW,FindNextFileW,StrStrIW,StrStrIW,FindNextFileW,FindClose,CoUninitialize,	5_2_00A34270
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009CB6E0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	5_2_009CB6E0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009EFBA0 RegCloseKey,FindFirstFileW,MoveFileExW,MoveFileExW,FindNextFileW,FindClose,MoveFileExW,Concurrency::cancel_current_task,MoveFileExW,MoveFileExW,	5_2_009EFBA0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A37D60 RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,FindFirstFileW,FindNextFileW,FindClose,GetLastError,	5_2_00A37D60
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009EC0D0 FindFirstFileW,FindNextFileW,FindClose,CopyFileW,RegOpenKeyExW,RegSetValueExW,RegCloseKey,	5_2_009EC0D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00990160 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindClose,GetLastError,GetLastError,RemoveDirectoryW,MoveFileExW,GetLastError,FindClose,GetSystemDirectoryW,SetFileAttributesW,DeleteFileW,MoveFileExW,SetFileAttributesW,DeleteFileW,GetTickCount,MoveFileExW,MoveFileExW,lstrcmpW,FindNextFileW,__Init_thread_footer,	5_2_00990160
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A004A0 PathAddBackslashW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00A004A0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A5E890 SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,CoInitialize,CoCreateInstance,FindFirstFileW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,DeleteFileW,FindNextFileW,FindClose,CoUninitialize,	5_2_00A5E890
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009D5150 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_009D5150
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A3F6B0 PathFileExistsW,GetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,WritePrivateProfileStringW,WritePrivateProfileStringW,WritePrivateProfileStringW,WritePrivateProfileStringW,	5_2_00A3F6B0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_0098B710 FindFirstFileW,FindNextFileW,FindClose,	5_2_0098B710
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009C98F0 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	5_2_009C98F0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A3D8D0 FindFirstFileW,GetLastError,PathFileExistsW,CopyFileW,FindNextFileW,FindClose,PathFileExistsW,CopyFileW,GetLastError,GetLastError,	5_2_00A3D8D0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A39BC0 PathFileExistsW,FindFirstFileW,lstrcmpW,lstrcmpW,CopyFileW,FindNextFileW,FindClose,	5_2_00A39BC0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00A33EE0 FindNextFileW,StrStrIW,StrStrIW,CopyFileW,GetSystemDirectoryW,SHGetSpecialFolderPathW,CoInitialize,CoCreateInstance,FindFirstFileW,FindNextFileW,FindNextFileW,StrStrIW,StrStrIW,FindNextFileW,FindClose,CoUninitialize,	5_2_00A33EE0
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_009C9F70 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,DeleteFileW,FindClose,	5_2_009C9F70
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A924B0 memset,memset,GetVersionExW,wcscat_s,memset,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,??1QString@kso_qt@@QAE@XZ,?utf16@QString@kso_qt@@QBEPBGXZ,FindFirstFileW,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,?utf16@QString@kso_qt@@QBEPBGXZ,??1QString@kso_qt@@QAE@XZ,FindNextFileW,FindClose,??1QString@kso_qt@@QAE@XZ,	7_2_00A924B0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A89420 memset,wcsncpy,wcsncat,memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	7_2_00A89420
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9D6A0 ?shared_null@QListData@kso_qt@@2UData@12@B,memset,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?fromUtf8@QString@kso_qt@@SA?AV12@PBDH@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,?toNativeSeparators@QDir@kso_qt@@SA?AVQString@2@ABV32@@Z,??1QString@kso_qt@@QAE@XZ,?utf16@QString@kso_qt@@QBEPBGXZ,FindFirstFileW,?fromUtf16@QString@kso_qt@@SA?AV12@PBGH@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?fromUtf8@QString@kso_qt@@SA?AV12@PBDH@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,??0QByteArray@kso_qt@@QAE@ABV01@@Z,?append@QString@kso_qt@@QAEAAV12@ABV12@@Z,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,FindNextFileW,?shared_null@QListData@kso_qt@@2UData@12@B,?shared_null@QListData@kso_qt@@2UData@12@B,FindClose,??1QString@kso_qt@@QAE@XZ,	7_2_00A9D6A0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9A95C ??0QString@kso_qt@@QAE@PBD@Z,??1QString@kso_qt@@QAE@XZ,memmove,memset,wcscpy_s,_invalid_parameter_noinfo_noreturn,memset,memset,memset,GetVersionExW,memset,FindFirstFileW,??0QString@kso_qt@@QAE@XZ,?isOverseasVersion@product@krt@@YA_NXZ,??4QString@kso_qt@@QAEAAV01@PBD@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??0QByteArray@kso_qt@@QAE@ABV01@@Z,??1QString@kso_qt@@QAE@XZ,DeleteFileW,FindNextFileW,??1QString@kso_qt@@QAE@XZ,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	7_2_00A9A95C
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A9BA70 FindClose,Sleep,memset,FindFirstFileW,FindClose,Sleep,	7_2_00A9BA70
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A92A40 ?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,?shared_null@QListData@kso_qt@@2UData@12@B,?isEmpty@QListData@kso_qt@@QBE_NXZ,?toNativeSeparators@QDir@kso_qt@@SA?AVQString@2@ABV32@@Z,??0QChar@kso_qt@@QAE@H@Z,?endsWith@QString@kso_qt@@QBE_NVQChar@2@W4CaseSensitivity@Qt@2@@Z,??YQString@kso_qt@@QAEAAV01@PBD@Z,?utf16@QString@kso_qt@@QBEPBGXZ,FindFirstFileW,FindNextFileW,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,?fromWCharArray@QString@kso_qt@@SA?AV12@PB_WH@Z,?QStringList_contains@QtPrivate@kso_qt@@YA_NPBVQStringList@2@ABVQString@2@W4CaseSensitivity@Qt@2@@Z,??1QString@kso_qt@@QAE@XZ,FindNextFileW,FindClose,??1QString@kso_qt@@QAE@XZ,	7_2_00A92A40
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00B07DB0 FindFirstFileW,_wcsnicmp,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,	7_2_00B07DB0
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A97E40 memset,FindFirstFileW,DeleteFileW,FindNextFileW,memmove,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?isSupportRibbonScale@product@krt@@YA_NXZ,?fromAscii_helper@QString@kso_qt@@CAPAU?$QTypedArrayData@G@2@PBDH@Z,??1QString@kso_qt@@QAE@XZ,?shared_null@QHashData@kso_qt@@2U12@B,?translate@QCoreApplication@kso_qt@@SA?AVQString@2@PBD00H@Z,??0QChar@kso_qt@@QAE@UQLatin1Char@1@@Z,?arg@QString@kso_qt@@QBE?AV12@ABV12@HVQChar@2@@Z,?utf16@QString@kso_qt@@QBEPBGXZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,??1QString@kso_qt@@QAE@XZ,?shared_null@QHashData@kso_qt@@2U12@B,	7_2_00A97E40
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00A8DE50 memset,FindFirstFileW,memset,memset,_wcsicmp,memset,memset,_wcsnicmp,FindNextFileW,FindClose,	7_2_00A8DE50

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_009F75A0 GetTempPathW,PathAddBackslashW,GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,PathAddBackslashW,GetTickCount,

5_2_009F75A0

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_0096C9C0 GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,

5_2_0096C9C0

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\kappcustomwidget\static\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\kappcustomwidget\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	File opened: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kapplist\mui\default\html\kappcustomwidget\static\css\	Jump to behavior

Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.2626467328.0000000001376000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00C8F898 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00C8F898

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00A63770 OutputDebugStringW,GetSystemWow64DirectoryW,GetLastError,OutputDebugStringW,SHGetSpecialFolderPathW,DeleteFileW,DeleteFileW,DeleteFileW,RegCreateKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,

5_2_00A63770

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

5_2_00C2A610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

5_2_0098D6B0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00CAE844 mov eax, dword ptr fs:[00000030h]	5_2_00CAE844
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00CAE888 mov eax, dword ptr fs:[00000030h]	5_2_00CAE888
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C8F597 mov eax, dword ptr fs:[00000030h]	5_2_00C8F597

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00A2BF90 GetNativeSystemInfo,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,GetSystemDirectoryW,GetNativeSystemInfo,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,PathAppendW,PathRenameExtensionW,PathQuoteSpacesW,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,

5_2_00A2BF90

Enables debug privileges

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C8F898 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00C8F898
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_00C7F82B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00C7F82B
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B146A8C IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6B146A8C
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B146D8B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6B146D8B
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B152AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6B152AB4
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B152917 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6B152917
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B1755F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6B1755F4
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: 5_2_6B17545A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6B17545A
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_00C1509F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00C1509F
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E0E981 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_64E0E981
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E0EB24 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_64E0EB24
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E7B502 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_64E7B502
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Code function: 7_2_64E7B659 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_64E7B659

HIPS / PFW / Operating System Protection Evasion

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process created: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe c:\users\user\desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_xa_mui_free.exe.500.2083.exe -installcallbyonlinesetup -defaultopen -defaultopenpdf -asso_pic_setup -createicons -curlangofinstalledproduct=en_gb -d="c:\users\user\appdata\local\kingsoft\wps office" -notautostartwps -enablesetupmuipkg -appdata="c:\users\user\appdata\roaming"
Source: unknown	Process created: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe "c:\users\user\desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_xa_mui_free.exe.500.2083.exe" -downpower -installcallbyonlinesetup -defaultopen -defaultopenpdf -asso_pic_setup -createicons -curlangofinstalledproduct="en_gb" -d="c:\users\user\appdata\local\kingsoft\wps office" -notautostartwps="c:\users\user\appdata\local\kingsoft\wps office" -enablesetupmuipkg="c:\users\user\appdata\local\kingsoft\wps office" -appdata="c:\users\user\appdata\roaming" -msgwndname=wpssetup_message_48854e -curinstalltemppath=c:\users\user\appdata\local\temp\wps\~4872e0\
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Process created: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe c:\users\user\desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_xa_mui_free.exe.500.2083.exe -installcallbyonlinesetup -defaultopen -defaultopenpdf -asso_pic_setup -createicons -curlangofinstalledproduct=en_gb -d="c:\users\user\appdata\local\kingsoft\wps office" -notautostartwps -enablesetupmuipkg -appdata="c:\users\user\appdata\roaming"	Jump to behavior

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00A29E10 LoadLibraryExW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,CreateMutexW,CreateMutexW,CreateEventW,

5_2_00A29E10

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_009D6950 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_009D6950

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_6B1468AB cpuid

5_2_6B1468AB

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: EnumSystemLocalesEx,	5_2_00CAF2C2
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	5_2_00CAF46C
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_00CB7AF2
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetLocaleInfoW,	5_2_00CB8158
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetLocaleInfoEx,	5_2_00C822CA
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00CB827E
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetLocaleInfoW,	5_2_00CB8384
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00CB8453
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: EnumSystemLocalesW,	5_2_00CAEEB3
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetLocaleInfoW,	5_2_00CB7CED
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: EnumSystemLocalesW,	5_2_00CB7DDF
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: EnumSystemLocalesW,	5_2_00CB7D94
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: EnumSystemLocalesW,	5_2_00CB7E7A
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00CB7F05

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Queries volume information: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe	Queries volume information: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\qt.conf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\qt.conf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\qt\plugins\platforms\qdirect2d.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\qt\plugins\platforms\qwindows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\kpacketui\mui\en_US\kpacketui.qm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\qt\plugins\imageformats\qsvg.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\qt\plugins\iconusers\qsvgicon.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\kpacketui\mui\en_GB\kpacketui.qm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\kpacketui\mui\de_DE\kpacketui.qm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\kpacketui\mui\en_GB\kpacketui.qm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\product.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\product.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qwindows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\styles\qwindowsvistastyle.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\en\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\en\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\en_GB\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\en_GB\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\en_US\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\en_US\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\th_TH\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\th_TH\lang.conf VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.lck VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.lck VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.lck VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe	Queries volume information: C:\Users\user\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat VolumeInformation

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_0099C4B0 RegCloseKey,WaitForSingleObject,GetLocalTime,_strrchr,_strrchr,GetCurrentThreadId,GetCurrentProcessId,EnterCriticalSection,LeaveCriticalSection,SetEvent,

5_2_0099C4B0

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_00CB1DA0 _free,_free,_free,GetTimeZoneInformation,_free,

5_2_00CB1DA0

Source: C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Code function: 5_2_009DEFB0 RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,std::locale::_Init,RegCloseKey,GetVersionExW,GetVersionExW,

5_2_009DEFB0

Source: C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Binary or memory string: 360Safe.exe
Source: 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	Binary or memory string: ravmond.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Bootkit	1 Windows Service	12 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	1 DLL Side-Loading	1 Process Injection	1 Access Token Manipulation	Security Account Manager	161 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Search Order Hijacking	1 DLL Side-Loading	1 Process Injection	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bootkit	DCSync	5 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	147 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Search Order Hijacking	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wps_wid.cid-735916525.1730301987.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kqingdlg\kqingdlg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\krecentfile\krecentfile.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksandbox\ksandbox.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kscreengrab\kscreengrab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksearchpanel\ksearchpanel.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ksharedoc_xa\ksharedoc_xa.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kqingaccountsdk.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krpt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksaddndr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kshell.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\diffbase\office6\mui\default\templates\printTemplate.pdf_bk (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\wps\~4872e0\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://s%1.vip.wpscdn.cnTTransportException:	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://www.wps.com/eula	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://phapi.wps.cn/api/v2/handle/setting	ksomisc.exe	false	unknown
https://wpsplus.com	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://account.wps.cn/healthy	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	false	unknown
https://curl.se/docs/http-cookies.html	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	false	unknown
https://sharefolder.wps.cn/api/v1/space/notify/ownerspace_owner_id	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://up.wps.kingsoft.com/wpsupdate2009	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3790893433.0000000001550000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://ocsp.di	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3772969203.0000000015005000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://api.wps.com/pc/special/api/user/remove-data	ksomisc.exe	false	unknown
https://event.wps.comdynamicParamFinishTagt1_app_start_p_st_sv_app_gid_did_hdid3_aid_ut_rid_av_ch_db	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
http://120.131.9.220	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=&version=&chann	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
http://dw-collect-debug.ksord.com)datesign_eventslocal	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://http_.index.inicert_detailis_cached_fileverify_cert_failedKOnlineSetupImpl::__generateCacheF	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://switch.pcfg.cache.wpscdn.cn/wps_cdn_config/hashcalcswitch	ksomisc.exe	false	unknown
https://qing.wps.cn	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://s%1.vip.wpscdn.cn	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://s.wps.comshortLinkUrlshortlink/short-link/queryshort_link_code=geterr_signAuthorizationdevic	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://www.wps.com/privacy-policy	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://curl.se/docs/alt-svc.html	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	false	unknown
https://www.wps.com	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4122341949.0000000015581000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://deviceapi.wps.cn	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/package/SOFTWARE	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
http://wu005.kuaikuai.cn/wpsupdateoad	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://deviceapi.wps.cnclient_type=%1	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://www.wps.com8	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://curl.se/docs/hsts.html	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp, 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	false	unknown
https://curl.se/docs/alt-svc.html#	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	false	unknown
https://sharefolder.wps.cn	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://en.ksupdate.com/errorreport/up	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:51:0	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://curl.se/docs/hsts.html#	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	false	unknown
http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.9.0dcsdk_eventv3.dbdcsdk_dpv3.data10C	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://qr.wps.cn	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://120.131.9.220$	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://qing.wps.cne_id_type	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://curl.se/docs/http-cookies.html#	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	false	unknown
http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E1&d=kdcsdk_infoc/wps/client/appcountrycodelastupdate	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://qr.wps.cn/api/v3/channel	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://wpsplus.com/3rd/drive/api/v3/mine/team/link/%1with_corp_name=%1	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://conf.psvr.wps.cn	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000003.3748445348.0000000014990000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://en.ksupdate.com/errorreport/uphttps://en.ksupdate.com/errorreport/up-crashdmp	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://www.wps.com/eulaprivacy_policylicense_agreementlabelTitleMsg_Wps_OnlineSetup_TaskMsgMsg_Wps_	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
http://wu005.kuaikuai.cn/wpsupdate	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4116265647.00000000036B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsggc:51:0	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, 00000005.00000002.4121012144.0000000014EE6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown
https://website-prod.cache.wpscdn.com/pkgs/win/setup_XA_mui_Free.exeSOFTWARE	wps_wid.cid-735916525.1730301987.exe, 00000000.00000000.2238530081.0000000000A55000.00000002.00000001.01000000.00000003.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.206	unknown	United States	15169	GOOGLEUS	false
104.16.84.69	unknown	United States	13335	CLOUDFLARENETUS	false
90.84.175.86	unknown	France	5511	OPENTRANSITFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545519
Start date and time:	2024-10-30 16:43:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wps_wid.cid-735916525.1730301987.exe
Detection:	SUS
Classification:	sus26.evad.winEXE@6/1037@0/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 55% Number of executed functions: 185 Number of non-executed functions: 52
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Execution Graph export aborted for target 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe, PID 6128 because there are no executed function
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: wps_wid.cid-735916525.1730301987.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.16.84.69	https://eu.docworkspace.com/d/sIKzT-6_PAfKtvrgG?sa=601.1123&data=05%7C02%7Cpawel.szuminski@mmcg.co.uk%7C3306ab8a4c924de29d5108dcef7d4b00%7C88f8632e06d34cf0b90694c0251f986c%7C0%7C0%7C638648568602700662%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=GSQ2KWuN7dSWSt7Qxxa59nm67jQdzMO38mXj+TAUa8I=&reserved=0%20%3Chttps://gbr01.safelinks.protection.outlook.com/?url=https://linkprotect.cudasvc.com/url?a=https%3a%2f%2feu.docworkspace.com%2fd%2fsIKzT-6_PAfKtvrgG%3fsa%3d601.1123&c=E,1,ibkDEAmMDiOODy7K4yYOHXlrNZSwIUyvYRqyN-P7QzVZgEIAr5lAv4gSIQh8j9CWT9OcTs7dcSF-FkHQ3xNgo2T8zxGLba9DtMPxCYn_Hbo1odxtD5AQgg,,&typo=1	Get hash	malicious	Unknown	Browse
90.84.175.86	https://eu.docworkspace.com/d/sIKzT-6_PAfKtvrgG?sa=601.1123&data=05%7C02%7Cpawel.szuminski@mmcg.co.uk%7C3306ab8a4c924de29d5108dcef7d4b00%7C88f8632e06d34cf0b90694c0251f986c%7C0%7C0%7C638648568602700662%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=GSQ2KWuN7dSWSt7Qxxa59nm67jQdzMO38mXj+TAUa8I=&reserved=0%20%3Chttps://gbr01.safelinks.protection.outlook.com/?url=https://linkprotect.cudasvc.com/url?a=https%3a%2f%2feu.docworkspace.com%2fd%2fsIKzT-6_PAfKtvrgG%3fsa%3d601.1123&c=E,1,ibkDEAmMDiOODy7K4yYOHXlrNZSwIUyvYRqyN-P7QzVZgEIAr5lAv4gSIQh8j9CWT9OcTs7dcSF-FkHQ3xNgo2T8zxGLba9DtMPxCYn_Hbo1odxtD5AQgg,,&typo=1	Get hash	malicious	Unknown	Browse
90.84.175.86	http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/distsrc/200.1095/wpsinst/wps_office_inst.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OPENTRANSITFR	https://eu.docworkspace.com/d/sIKzT-6_PAfKtvrgG?sa=601.1123&data=05%7C02%7Cpawel.szuminski@mmcg.co.uk%7C3306ab8a4c924de29d5108dcef7d4b00%7C88f8632e06d34cf0b90694c0251f986c%7C0%7C0%7C638648568602700662%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=GSQ2KWuN7dSWSt7Qxxa59nm67jQdzMO38mXj+TAUa8I=&reserved=0%20%3Chttps://gbr01.safelinks.protection.outlook.com/?url=https://linkprotect.cudasvc.com/url?a=https%3a%2f%2feu.docworkspace.com%2fd%2fsIKzT-6_PAfKtvrgG%3fsa%3d601.1123&c=E,1,ibkDEAmMDiOODy7K4yYOHXlrNZSwIUyvYRqyN-P7QzVZgEIAr5lAv4gSIQh8j9CWT9OcTs7dcSF-FkHQ3xNgo2T8zxGLba9DtMPxCYn_Hbo1odxtD5AQgg,,&typo=1	Get hash	malicious	Unknown	Browse	90.84.175.86
	https://q7bmw.com/	Get hash	malicious	Unknown	Browse	90.84.161.27
	http://wwwuhex9z.xyz/	Get hash	malicious	Unknown	Browse	90.84.161.27
	http://wwwuhex9z.xyz/	Get hash	malicious	Unknown	Browse	90.84.161.27
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	90.84.161.27
	SecuriteInfo.com.Win32.TrojanX-gen.16449.26967.exe	Get hash	malicious	Unknown	Browse	90.84.161.27
	SecuriteInfo.com.Win32.MalwareX-gen.14234.12476.exe	Get hash	malicious	Unknown	Browse	90.84.161.27
	SecuriteInfo.com.Win32.TrojanX-gen.17640.30814.exe	Get hash	malicious	Unknown	Browse	90.84.164.13
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	90.84.161.27
	SecuriteInfo.com.Win32.MalwareX-gen.14234.12476.exe	Get hash	malicious	Unknown	Browse	90.84.161.27
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://cosiosos.com.de/7i2ko/	Get hash	malicious	HTMLPhisher	Browse	172.67.175.107
	https://myworkspacec1d73.myclickfunnels.com/onlinereview--9cb35?preview=true	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://zastromts.za.com/v3oX/#E	Get hash	malicious	HTMLPhisher	Browse	104.21.11.102
	Receipt.htm	Get hash	malicious	Unknown	Browse	104.17.25.14
	weekly-finances-report.xlsx	Get hash	malicious	KnowBe4	Browse	104.18.91.62
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	weekly-finances-report.xlsx	Get hash	malicious	KnowBe4	Browse	104.18.90.62

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Process:	C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
File Type:	Qt Binary Resource file
Category:	dropped
Size (bytes):	204860
Entropy (8bit):	7.653760301981393
Encrypted:	false
SSDEEP:	3072:FuaPzvJK3yKe+jEWc8R9GgeZMCT9srF/793w8:FuEBKiKNEZMCsFDV
MD5:	A2503BF64C81C74B0F2960BD3297E247
SHA1:	DEE022D942A3BBE8364F5162DC7940A43B9347EE
SHA-256:	F1C52A3973A6CDB068B45ED27B990B9C20E537AF85B04DF871912E74B71D4FFC
SHA-512:	5399E416FF0359DD52EA474CF233EF879F0F15BC3F90769390CF1905342DBFEF5DE614EFA795F9E8A461F50408452A3B8F324BA82FA8490946E0E2BB644DB3FC
Malicious:	false
Reputation:	low
Preview:	qres..................,..PNG........IHDR.......x....._..... .IDATx^.}..eWY.....{...~..@......:.Fp..t...2.....#.........z\F.....h....2.Zh.......$.....WW.u.w...~.sn.s.n.:KI.=...........{gZ.V.z.j4..l.`...U[...lS..7....G.......T..3...C..\|.7...U`Wk.X]/...^.A.?..5..'y....A..}....k..i..S.}.L..$Vn....N...oT...X]e.&F.073.}=...v....E.....a1..hv_...x.W"E.`..........n.......4r!=.[>........n..... \.o.').'...^.b....MLh...a../...$.5..\|...sA.....C...@u..;.E..vJ..V.........(.e{..=...KE..M..x..^...bb.....f....-...M....5....{...f...2X......g.[.8.v.....1.....v....;J..2....3.....'Ce..t..Q....l....c..P..6.G....Q...I...9..&.im.v...]F&...6g..C....d...4~..W..;......I.H.&....#M.}^..fS....s3..N.c...P.7..d.3.]w....b.....!.v..F.H`K.........ZR........P..K.P.......H.K.JE.../.yk.m.ka..L_&.{.Gc[.-U..i..e..j..v..]Y....F.F'.e.aj<...]s.....h..v......p)....+.:.............Rd.....2....IU......I.`..7.^...A........*.N..(..%K..'F. ;..a.w.q...W.D..u.........x....;lw.l

Process:	C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe
File Type:	PNG image data, 1308 x 696, 8-bit colormap, non-interlaced
Category:	modified
Size (bytes):	68645
Entropy (8bit):	7.948583913788126
Encrypted:	false
SSDEEP:	1536:X8ZVznZbnsger3xernd5ThGpYFZdV+UxDjQg3ScX:8VV4ge7ULd5ThsEZqU9QU
MD5:	1BC2F7678AE9D9AE6461DD7C4BC8B142
SHA1:	571B62251DB6B4EB440C35A05C09959A86A910FE
SHA-256:	EEE45D0D93A0A1D56E32F7C9C2B22EE78C187B6692A4F7F4F1624DA144FA9487
SHA-512:	3FF71CD56F75E8EBF4FB169E4B076EB67596759A225110353A3660EE5DC4735AAC888968640CF0301047C8121F9032AEF2B60170C05030E66A8FF26D3F7D0EDD
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR.............!..5....PLTE......``aHHI.N.............stu.+................9n.......... m.6g....5h............................(J..........C..B..#c.,Q.A..E..:w..W.@.....J..F..4`....G..>.................A..iij<..(........=..&?........./X..........?..... u....3A..8....#~.&\.....a.T..:..3...b.6F...J.P...../..}....\|..,..(P.......3]..0.!t..j.....C.<...`.)E.-P.6g....(..(G.".....8...x.3..<....7..r..7T..Q.-u.F.....B..#<.)......_.8..u...l.5..1Y.:...U.......5)....f............+.......>..J...7.........?W....$...P...t.!..K..W..(6.+..!...PW.........6L.My.c.....?7.\..n..0..{..Bk..9.X..`..d.................GG.s..0W.R.......m..Fb.RRS...S..... X.\|..Vf....9~.j..r~....I.d..k.....V..m.....N......cu...Ru.Qh.{..;..C....$.....%..w.../..I.#..H..F.9......w.+...........!._..D.v.. w...R....X...R....IDATx..=r.0.......:.f.. <./.K....2..+.-e6.od. z.y..Hy...g.^.7...8B.....#........Q9........w.5....p.r..5.. ...S.jZ?/cP.\|T...'...........x...~..]...q..<.P...Q.L...WL..K.w.....9..N.r.c

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.940178460808811
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wps_wid.cid-735916525.1730301987.exe
File size:	5'806'976 bytes
MD5:	8d76bb0011099f752d1df93ad3f697f2
SHA1:	467d3da8b2fa7ff0d2958d30c3345c109647e09d
SHA256:	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772
SHA512:	1526f49a0b14ed46c0fc68781e71009121e6f9807a3c262d6fa50c69fb37f59a711c9ae383ed8f30ed14b60456aafc80bfac10fccf90ef6fc27d4191693ddc8d
SSDEEP:	98304:irI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4s9w0dGzB/vr:RXGULEFrcPJzAxf4+FGVD
TLSH:	0C46B012F78694F1E5C101F024BAABBA5C3DAA29573589C3D7E11D2984302D37E3BB5E
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......#..Yg...g...g...<...~...<.......<...f.....q.j...5...t...5...}...<...f...5.......<...x...<...d...g...r...........g..............

Entrypoint:	0x673ee2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67094FDB [Fri Oct 11 16:18:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	26ba65d1a9fc9fd7f8842f912062f241

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/07/2024 02:00:00 25/06/2025 01:59:59
Subject Chain	CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=\u73e0\u6d77\u5e02, S=\u5e7f\u4e1c\u7701, C=CN
Version:	3
Thumbprint MD5:	E0D54B892938E532842A818E4AD1FB63
Thumbprint SHA-1:	28A51774B306556772DCCBB655746C3DB332732E
Thumbprint SHA-256:	CB1B68B39AC9E5FB92DBED413B19BF949D82610A6F16CC59E249801821942B65
Serial:	0D1B24B68F3741034B9B1151C59ED692

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4af144	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c7000	0x9deb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x584a00	0x5180	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x565000	0x294f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x490f50	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x490fc0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x465548	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3e5000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4acda4	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3e3af6	0x3e3c00	a6de30b1273e1c1f86f258fea1062d6c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3e5000	0xcb4be	0xcb600	a81a9fa13e5ed896a1cee7162e5a4ae2	False	0.44776380992624465	data	5.953909416024413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4b1000	0x151f4	0xde00	b5bb2a67e875d487bb0433f0121a20b4	False	0.23960092905405406	data	4.820664396727245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4c7000	0x9deb0	0x9e000	65fdcffc9720a257378e15570c19ebe1	False	0.8035919575751582	data	7.61150237294491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x565000	0x294f0	0x29600	df993ab9c55553a6b88d627686aa502e	False	0.559703077794562	data	6.614595093529496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
ZIPRES	0x4c7350	0x57d02	Zip archive data, at least v1.0 to extract, compression method=store	Chinese	China	0.9829794095895819
ZIPRES	0x51f054	0x1c396	Zip archive data, at least v1.0 to extract, compression method=store	Chinese	China	0.9826393093784059
RT_ICON	0x53b3ec	0x6b72	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9998545771831601
RT_ICON	0x541f60	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.13987637525139004
RT_ICON	0x552788	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	Chinese	China	0.16643893210006305
RT_ICON	0x55bc30	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.20778223901747755
RT_ICON	0x55fe58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.26016597510373446
RT_ICON	0x562400	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.3269230769230769
RT_ICON	0x5634a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.4012295081967213
RT_ICON	0x563e30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.5558510638297872
RT_STRING	0x564298	0x78	data	Chinese	China	0.75
RT_GROUP_ICON	0x564310	0x76	data	Chinese	China	0.7457627118644068
RT_VERSION	0x564388	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data	English	United States	0.4647577092511013
RT_MANIFEST	0x564714	0x79c	ASCII text, with very long lines (1948), with no line terminators	English	United States	0.30236139630390146

Target ID:	0
Start time:	11:44:38
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wps_wid.cid-735916525.1730301987.exe"
Imagebase:	0x670000
File size:	5'806'976 bytes
MD5 hash:	8D76BB0011099F752D1DF93AD3F697F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	5
Start time:	11:45:15
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_GB -D="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\user\AppData\Roaming"
Imagebase:	0x8f0000
File size:	252'569'368 bytes
MD5 hash:	4A300FA35A277A4BE0455ECEEF3B4FDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	11:45:24
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_GB" -D="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\user\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\user\AppData\Roaming" -msgwndname=wpssetup_message_48854E -curinstalltemppath=C:\Users\user\AppData\Local\Temp\wps\~4872e0\
Imagebase:	0x8f0000
File size:	252'569'368 bytes
MD5 hash:	4A300FA35A277A4BE0455ECEEF3B4FDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	7
Start time:	11:47:13
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_GB
Imagebase:	0xa80000
File size:	3'269'504 bytes
MD5 hash:	7680119F3DE2925404AE2615898AC605
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	144

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wps_wid.cid-735916525.1730301987.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\advancedexportpdf\advancedexportpdf.data

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\chrome_100_percent.pak

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\chrome_200_percent.pak

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\icudtl.dat

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\locales\en-GB.pak

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\locales\en-US.pak

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\resources.pak

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\snapshot_blob.bin

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\cef\v8_context_snapshot.bin

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\mui\default\icons.data

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\mui\default\icons_svg.data

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\mui\default\icons_svg_xa.data

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\mui\default\scenebeautify.data

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\mui\default\waitingwidgets.data

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\mui\default\web_beautifywpp.data

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\res\changetheme\css\app.css

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\res\changetheme\images\loading-24.gif

C:\Users\user\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kaiwpp\res\common\img\waiting-64.gif

Windows Analysis Report
wps_wid.cid-735916525.1730301987.exe

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre