Malware Analysis Report

2025-01-02 07:48

Sample ID 240509-wpdf5sfc4w
Target 2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil
SHA256 35146a3795c50e229be65d164d793ffb2af695f75902e0d28ee992fdc51b12a7
Tags
privateloader bootkit discovery evasion loader persistence spyware stealer trojan bruteratel backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35146a3795c50e229be65d164d793ffb2af695f75902e0d28ee992fdc51b12a7

Threat Level: Known bad

The file 2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil was found to be: Known bad.

Malicious Activity Summary

privateloader bootkit discovery evasion loader persistence spyware stealer trojan bruteratel backdoor

Brute Ratel C4

PrivateLoader

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Checks computer location settings

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Drops file in Program Files directory

Modifies system executable filetype association

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 18:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 18:05

Reported

2024-05-09 18:08

Platform

win7-20240221-en

Max time kernel

148s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe"

Signatures

PrivateLoader

loader privateloader

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lnkfile\ShellEx C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{A1BBCFD9-B54C-443D-BC56-0BC3840120DB}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wpp /Preview" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\et.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\ C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\mui\\default\\resource\\ksee\\EqnEdit.exe" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700070002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\ C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /et /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\refedit.dll" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\kwpsmenushellext64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wps /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{D5A42435-00FB-427E-ADE7-B753DEF2E9D7}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Roaming\\Kingsoft\\wps\\addons\\pool\\win-i386\\pdfwspv_1.0.2024.3\\pdfwspv.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{00024437-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{000208A1-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{000C1715-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{D4022C32-9535-4C40-B21F-99388F587143}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{00024423-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Trendlines" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000C03BA-0000-0000-C000-000000000046}\ = "TabStops2" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{0002091F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{000208A2-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WPP.PPTX.6\Insertable C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{00020936-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.dpsx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}\ = "OCXExtender" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KMSO2PdfPlugins.Component\CLSID\ = "{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\PowerPoint.Application.12\CLSID\ = "{91493441-5A91-11CF-8700-00AA0060263B}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000C1730-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000244D1-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{55764DA4-BB0F-4781-8342-D85F1D800ACB}\1.0\0\win32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{0002443C-0000-0000-C000-000000000046}\ = "GroupShapes" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{000244B0-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{C1AD33E4-F088-40A9-9D2F-D94017D115C4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{B3A1E8C6-E1CE-4A46-8D12-E017157B03D7}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{C8C9D844-72C0-41F5-B6FF-9DA99BE2A812}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{DA936B62-AC8B-11D1-B6E5-00A0C90F2744}\TypeLib\ = "{0002E157-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000209FE-0001-0000-C000-000000000046}\ = "IApplicationEvents2" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{0002087B-0000-0000-C000-000000000046}\ = "SoundNote" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{00024445-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\02139C37CE085D11E9C8000CF4970D96\2052 = 260069006700410056006e002d007d00660028005a005800660065004100520036002e006a006900500072006f006400750063007400460069006c00650073003e005200750040002d003700470055004900240040003f00570072004c00440028004f005000300072000000320030003500320000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInInstance\CurVer\ = "MSAddnDr.AddInInstance.1" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000CD102-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{92D41A77-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "SeriesLines" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{00024491-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{00024443-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ET.Xlsm.6\shell\ = "open" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Word.Document.12\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wpsofficeicon.dll,37" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000209E5-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{584FDEA7-9D1F-44C7-97DC-784136862930}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{91493492-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{00024434-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{000208B9-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{00020863-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{0002E164-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{B3A1E8C6-E1CE-4A46-8D12-E017157B03D7}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\KET.Template.9\ = "WPS Spreadsheets Template" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{00024477-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BF3A922-7E10-4241-9FD3-654FEDECC52A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{9149348F-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "DataLabels" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000244B4-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KMSO2PdfPlugins.Component\ = "Kingsoft MSO2PdfPlugins Addin" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000C0410-0000-0000-C000-000000000046}\ = "SignatureSet" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{000C03A6-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{C2B83A65-B061-4469-83B6-8877437CB8A0}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\KET.SecWorkbook.9\shell\open C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{00024433-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000208D6-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{00024487-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WPP.SLDX.6\Insertable C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000C1709-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{000CDB09-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{00020853-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 2176 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 2176 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 2176 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 2176 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 2176 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 2176 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2584 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1784 wrote to memory of 2588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 1784 wrote to memory of 2588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 1784 wrote to memory of 2588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 1784 wrote to memory of 2588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 1784 wrote to memory of 2588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 1784 wrote to memory of 2588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 1784 wrote to memory of 2588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2412 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2412 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2412 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2412 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2064 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2064 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2064 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2064 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2584 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2584 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2584 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2584 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2020 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2020 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2020 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2020 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 2020 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2020 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2020 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2020 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 2064 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 984 wrote to memory of 2608 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe

"C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office"

C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe

"C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_F76B5D7 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f76b339\

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -installregister sharedMemory_message_F7702EE -forceperusermode

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -installregister sharedMemory_message_F770F7B

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -sendinstalldyn 5

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2020 /prv

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kwpsmenushellext64.dll"

C:\Windows\system32\regsvr32.exe

/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kwpsmenushellext64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe" /from:setup

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe" -createtask

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\html2pdf\html2pdf.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\\office6\ksomisc.exe" -defragment

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=autostart_after_install_onlinesetup

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -getabtest -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -getonlineparam -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=2160 --field-trial-handle=2380,i,11055575241299280470,7004628966924918449,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=752 --field-trial-handle=2380,i,11055575241299280470,7004628966924918449,131072 --disable-features=TSFImeSupport /prefetch:8

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2460 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2808 --field-trial-handle=2380,i,11055575241299280470,7004628966924918449,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2460 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=2380,i,11055575241299280470,7004628966924918449,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2460 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=2380,i,11055575241299280470,7004628966924918449,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=2396 --field-trial-handle=2380,i,11055575241299280470,7004628966924918449,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run /InstanceId=wpsdesktop -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kwpsbubble_1.0.2024.3/kwpsbubble_xa.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=1072 --field-trial-handle=1284,i,7996069957741130977,1437958832885674958,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=1648 --field-trial-handle=1284,i,7996069957741130977,1437958832885674958,131072 --disable-features=TSFImeSupport /prefetch:8

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2008 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1792 --field-trial-handle=1284,i,7996069957741130977,1437958832885674958,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=1072 --field-trial-handle=1284,i,7996069957741130977,1437958832885674958,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.136/kdocreminder.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.136/kdocreminder.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run -User=Admin "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -regpdfwspv

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" LocalService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -regpdfwspv

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\pdfwspv.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 api.wps.com udp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
US 8.8.8.8:53 udp
FR 90.84.175.86:443 tcp
US 104.16.83.69:443 tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
US 8.8.8.8:53 abtest-api.wps.com udp
FR 90.84.175.86:443 abtest-api.wps.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 34.209.139.59:443 tcp
US 8.8.8.8:53 cloud.wpscdn.com udp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 8.8.8.8:53 ai.wps.com udp
FR 90.84.175.86:443 ai.wps.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 8.8.8.8:53 api-ad-adapter.wps.com udp
FR 90.84.189.232:443 api-ad-adapter.wps.com tcp
FR 90.84.189.232:443 api-ad-adapter.wps.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 8.8.8.8:53 abroadad.cache.wpscdn.com udp
US 8.8.8.8:53 ovs-activity-server.wps.com udp
GB 18.245.162.126:443 abroadad.cache.wpscdn.com tcp
GB 18.245.162.126:443 abroadad.cache.wpscdn.com tcp
GB 18.245.162.126:443 abroadad.cache.wpscdn.com tcp
GB 18.245.162.126:443 abroadad.cache.wpscdn.com tcp
GB 18.245.162.126:443 abroadad.cache.wpscdn.com tcp
GB 18.245.162.126:443 abroadad.cache.wpscdn.com tcp
FR 90.84.175.86:443 ovs-activity-server.wps.com tcp
FR 90.84.175.86:443 ovs-activity-server.wps.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
FR 90.84.175.86:443 ovs-activity-server.wps.com tcp
US 8.8.8.8:53 ovs-activity.wps.com udp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.8.8:53 d19a1mtic3m6gl.cloudfront.net udp
GB 18.245.187.68:443 d19a1mtic3m6gl.cloudfront.net tcp
GB 18.245.187.68:443 d19a1mtic3m6gl.cloudfront.net tcp
GB 18.245.187.68:443 d19a1mtic3m6gl.cloudfront.net tcp
GB 18.245.187.68:443 d19a1mtic3m6gl.cloudfront.net tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 8.8.8.8:53 firebase.googleapis.com udp
GB 172.217.16.234:443 firebase.googleapis.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 d19a1mtic3m6gl.cloudfront.net udp
GB 18.245.187.92:443 d19a1mtic3m6gl.cloudfront.net tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
BE 64.233.167.155:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
GB 216.58.204.67:443 www.google.co.uk tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
GB 18.154.84.94:443 cloud.wpscdn.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.4.4:443 dns.google udp
US 216.239.32.36:443 region1.analytics.google.com udp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.8.8:53 udp
US 34.209.139.59:443 tcp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.4.4:443 dns.google udp
GB 216.58.204.67:443 www.google.co.uk udp

Files

C:\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\pl_PL\style.xml

MD5 034f37e6536c1430d55f64168b7e9f05
SHA1 dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA512 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 a639eeb67e6f191622d9fc2364ef6276
SHA1 b81595f493cedaf5cad3ed886f187a7520abce0f
SHA256 cbf471f962fe2541102e9cab521fd8cfc8674bb0ac68a3326f5181115cdc22bc
SHA512 093c12ec206120252b403cd057b23cd6d8e440740d499f72ce8b08044bf9b8c99e3efaa69ce7947632bb8b78104d599b4c7da7af128af5ce9fa3167509844e79

memory/2412-187-0x0000000000210000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 2ab8f9332594927cd96788efe14ac168
SHA1 7591d76a5ee9847d801134f260a12feee233138f
SHA256 c43b04cc376d9a156acc5b94afa1d18e34afb77d7e40acfb0c0a52d340d622f4
SHA512 fff739707a89e56de2e070a50e1df6b95ae4dc4bff1330f876f92924123431a68ca65523961a07a771205e88ce9086131af23f9749d27ccba666dd7af831da15

C:\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\product.dat

MD5 e568b6577db690b099db51338853f0be
SHA1 2d24319c334b6319bb19c580f537e6339de48bc5
SHA256 257f1947e656eced86713f72deea7261afe30bb07e9c4f109ea29a6c2df63f16
SHA512 16cf5f031bd8a3e1998b350913d7963140c95ef75e8cac2a5f878a9d3c80691fae24463ad9af64a426fe97dc78a0f51edf75b4a92429191c0809bfcd0f0aefac

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 c38481658f9149eba0b9b8fcbcb16708
SHA1 f16a40af74c0a04a331f7833251e3958d033d4da
SHA256 d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2
SHA512 8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 9af5527659cfadecc3266a931dab03ae
SHA1 cbc48504b796c9b084b47c6d033baefc39445a77
SHA256 414102a3f2ac86159669a0836b3dbab3aac69a7d6e5a6fea783854ec699ae23e
SHA512 0593b4377c9416c48dc4fc9a9dbc69caca010a67e644e37b40bfd7f2695bb6065823389b35f2e958ee85bf1d1b2fb30bc62fc4206dce14091303245c265d483c

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 a9519168ca6299588edf9bd39c10828a
SHA1 9f0635e39d50d15af39f5e2c52ad240a428b5636
SHA256 9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3
SHA512 0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 b3843e058782a993918045cb73d84e25
SHA1 dbbc24f2da2e5b9b94a00aa41c08935be184c12d
SHA256 aa696dc9058ed7987675837be2601edd28306a42153d5112dacc9b156a1fceb1
SHA512 3c237aa06409d774f6bbd3aa1116677a39f5f8f166dfcfa2fecab9d266f5b247bb9d2d623ce780631f857366059ce204912c039c7b5352cd2d5a7cbfb748a10e

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\kpacketui.dll

MD5 922e87292d25e0e5114e844457305309
SHA1 f71ba802373150ce5f70b7dc65400fb5c4f11422
SHA256 8c04e43b9e4470198db0b539dbb41812cc1140a0932e69de6b9541e363d6cd31
SHA512 a70410d76b2655e31c48e6604a56bfe48ae236494ebbb53c2d94064046a371ecca93671ccb4d80f0084dfa601b68f530eef676ccd2ef804995b4271c3dfe612c

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

MD5 b181124928d8eb7b6caa0c2c759155cb
SHA1 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA256 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA512 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

MD5 86421619dad87870e5f3cc0beb1f7963
SHA1 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA256 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512 dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

MD5 cd3cec3d65ae62fdf044f720245f29c0
SHA1 c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512 aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

MD5 b5c8334a10b191031769d5de01df9459
SHA1 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA256 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA512 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

MD5 21519f4d5f1fea53532a0b152910ef8b
SHA1 7833ac2c20263c8be42f67151f9234eb8e4a5515
SHA256 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA512 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\Qt5GuiKso.dll

MD5 eeeca78826c60d6c8a0c1068f852246a
SHA1 7daf41eb25258972581e0b05b0c18a9afdfa4efb
SHA256 b65f069e69952658f8e1b0452d9846682df2be483b640f446f050897db865acd
SHA512 516e53a7c67cd7ef5d67342381f8f0fec84ff582c322e6952529d04df5e30ed96f4584fcb3d188314850425110818952c756bc2fa6f3bd28ae59e9fcfa2dd5a5

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

MD5 3dfb82541979a23a9deb5fd4dcfb6b22
SHA1 5da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA256 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512 f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

MD5 461d5af3277efb5f000b9df826581b80
SHA1 935b00c88c2065f98746e2b4353d4369216f1812
SHA256 f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

MD5 0979785e3ef8137cdd47c797adcb96e3
SHA1 4051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256 d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512 e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

MD5 d0b6a2caec62f5477e4e36b991563041
SHA1 8396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256 fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA512 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA1 5516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512 a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

MD5 50b721a0c945abe3edca6bcee2a70c6c
SHA1 f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256 db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512 ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

MD5 88f89d0f2bd5748ed1af75889e715e6a
SHA1 8ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA256 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA512 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5765103e1f5412c43295bd752ccaea03
SHA1 6913bf1624599e55680a0292e22c89cab559db81
SHA256 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA512 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

MD5 f364190706414020c02cf4d531e0229d
SHA1 5899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256 a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512 a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

MD5 a6a9dfb31be2510f6dbfedd476c6d15a
SHA1 cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512 b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

MD5 4f06da894ea013a5e18b8b84a9836d5a
SHA1 40cf36e07b738aa8bba58bc5587643326ff412a9
SHA256 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA512 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\vcruntime140.dll

MD5 e51018e4985943c51ff91471f8906504
SHA1 5899aaccdb692dbdffdaa35436c47d17c130cfd0
SHA256 ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d
SHA512 2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\msvcp140.dll

MD5 5fd0772c30a923159055e87395f96d86
SHA1 4a20f687c84eb327e3cb7a4a60fe597666607cf3
SHA256 02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d
SHA512 132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\Qt5CoreKso.dll

MD5 d461f7fca9f7cc55734b0668e5ccb646
SHA1 4a83f0ccf3df09f5421f016fee2bf8de96db7660
SHA256 f4251af34a7cfc5fb74e5bfdac5ac9651b7066fa066e5a5c7c5d150c19318ca0
SHA512 94357000adfa2e45e222ac186b19553b415c14e81013bda0e93a600cbadc197f561eaee65a7aed03c265f286f3473625fac2bfb1afb96c80f4972c67eefdb676

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\Qt5SvgKso.dll

MD5 74f1aae0ad9c77088879f0f068603b14
SHA1 4dc66aca99fca616801e7e1e08eb61e87ad65ef0
SHA256 6bf93e0575acec1c1bccf7e4d33a4c9a4f12c51811c41ed695115bcc60081d4f
SHA512 dcabee00b11db242552827663bd8eaba89bb94e4ed2f02793467c21630124074acdd1d55682a56d9b5875b3626ccff99cbab666ebdc8820d1bd4d058ce1ca029

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 9f471c987bb028f30b5a51ca83fc5586
SHA1 d91252f67c70e1b17138133c0d31463da1184176
SHA256 555c000fdbddab11c017da8055f58169a55f8772dbac78ca8e4572a6553db071
SHA512 cc42fdb7ff0d20f485e9d5bcf7df5bf3b79e626ef44c3cae23e9179cf97b197564cb73fa4f2521495f95a3e337c1f0d533f6d3f2c36900a84dc2f546ef5e9474

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\Qt5WidgetsKso.dll

MD5 6e3b3eaff5e4feee5496de76532bd54e
SHA1 d3fb5b3edd0039752fa979553da639b9457463b9
SHA256 e37630a7ea0ba754a51495e7d1595dd8e98bb20f09009f3c62ca48778f1bbbd6
SHA512 b2458e55d6d3787dc938017a3df99e54ac1d16fb427b33b9309b8b4b7bc905f45fd7431c8d18f5e97f42599aa5a4ca04a01583f2d124d7fe57e9880f97c154c0

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 d2a04dc52ea4ffcadb4881c9c120b9b3
SHA1 5ff9b4de60e3868697d81fb910b373c7c0a7c4a5
SHA256 271815def5e81d60dce20a982ad9cec1dc08fb43bf37a29c1266a5a367e5f3fc
SHA512 3ef40bf306275ff0202d24209274f7a00acf268763ff3e7d5abd81c84b2a398701a2b317aa00e67316b74aef734e11edaeb3e08fa2adeada77e6663cf143bf2c

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 6dd89155cc60c5daf2bec34971d45f56
SHA1 5c550dcaa072296d7697947e15daa629b78fae6f
SHA256 e32f73979f372cb76088df4ca8ee621ff9f853352d5236ee14854868212b601b
SHA512 9896a47418e15b13902cf5300f9331d818d94708f76949f56c28bbecc241e1c0aa153473bde30aa723381045decd01bc375ccdee9b07e00a31dbafa1f51cc961

\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 e128074d836e990fa6e8c20c16598f6a
SHA1 16c786082777f3f80a486d2303360e06f63ed599
SHA256 88910fcdc54e2a80a7ec124920cf0af8ee1221480c2ebfd181555ec6e6a9088d
SHA512 82e95748595102467b0248a7981137e269b8c6123f5383eef40017a0fe41141d59156a6b48bf6d574ed60d8d7929a9a9f34ccb8e07e5089af4ca100a9b765526

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 4f56abb6caafc61843f2006052c5d019
SHA1 806e3d695bfbe1ac69caca689fbc834ba58c0095
SHA256 5a315689277911418f50306f00a6a185220ccd4ee79d0b195cf4dcf38bfc2e74
SHA512 fa43e991bbd539265dc31e23c2fdf6b2bb737c6a8ab571df36f412b0b9d6c00bdfc372f3a53f4bd4822ef7a79af8c140a84e6f3c820655e38a715a9f64857780

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

MD5 c5ad1903526a9ca4c2f55cfea1e22778
SHA1 9c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA256 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512 e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

MD5 b4b4c703bf5c6c0b5e9c57f05012d234
SHA1 929aee49e800e88b4b01f4a449fa86715d882e42
SHA256 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA512 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm

MD5 2b42be10ddde43a0b6c2e461beae293a
SHA1 53888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512 be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

C:\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\Qt5CoreKso.dll

MD5 8104fdcc2caa3b42b140d8498eae6cfe
SHA1 1413352da713c786d1ff9be2eddda36a8245a8e5
SHA256 5a3ea2eee0535589b0de2c1468891c2285570136257261eb50c2744bf5d8fc9e
SHA512 20f83309437afc57bd4ef58d48c54c229482fd10e3b0e7e93bc8ec637dabb6ce7b6ab67942d97a35b0ff7c8694d054fa3f87a0050c04678509be99cddfaaf675

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\qt\plugins\platforms\qdirect2d.dll

MD5 b120a3c32571f1ea2da38aa7bc3fb65f
SHA1 652d1cc2759e96df7c668b78501a609af5a6a045
SHA256 23168a629ec4bd8ab76ef93d32318d70643b0b7714f5be9534190075232fce49
SHA512 29283cc3be5f7609f921ef721366f55238456c8c0f574af30c65f6fb266ef699e09316aff5ec6d14b31090ad7f0e6d516d18f9a144df8317b0df0d71e81e7dbf

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\Qt5GuiKso.dll

MD5 cd71405fd88a13daeaadc9122878f294
SHA1 2eb6ca95ede0507b7fd0fae164b34cebb61dd639
SHA256 39963edad28df386ae535070b20371a5ba4de445912df1b1cabff915c82364cf
SHA512 d573962fd3f15f6701477b328d3395a5e4c78fd847e5e7123ab7d58d5e3d51d959765f16e6848fd879e0c527ccdb115aa312074905380a3ac4881dbaca316fe6

C:\Users\Admin\AppData\Local\Temp\wps\~f76b339\CONTROL\office6\Qt5WidgetsKso.dll

MD5 4cf25152e7fdc3863d35ab01ed7e5f95
SHA1 bcf5d327cbd6d6b3903d47c63516d81f56361229
SHA256 c70e1ad07aa161eb6dd42fe5109c910ea358935c653c0082654f6810df844b5f
SHA512 706d2edb3c9f4a32554cf07d5faeaa2b7aa8d22f0f0c0076541efd73e093387dd264026dcbae7b790cafd260257288449048df7b277f8407278bf127da669a14

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

MD5 183330feb3b9701fec096dcbfd8e67e4
SHA1 2f43379fefa868319a2baae7998cc62dc2fc201d
SHA256 ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

MD5 c7a10599297c9d06acf8bf4b83ff3d7b
SHA1 08c314c300a66c56c3ea9e5a6db42c448a236bf0
SHA256 160c900a8ecdd59c47d06b2d250aad79ff93ae1c233dafc09e4e854e8015ac93
SHA512 73d5a9dc067231009a852a64b97196a8b8832f1a376786db3616ed12b4391656b88804a990c0579b198e9e780ad8e5c12f8cfe71a41d3b5ded83d9929cbbb79a

\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\Qt5NetworkKso.dll

MD5 890a5bf085167cf3aee0f4d57b7e05b6
SHA1 1bbfe7ca2cf0678b433790289cdc7db57d68e36f
SHA256 7d16714b843343e370ec36bda4a058280ba3528636c57a085b168c979f1f48c5
SHA512 e44385e82c2a85a63d3860f590003d9d42d2343a78e9501541208363e3ff9c76f46bc25f36fb7f326b13143fd259dfaac71e49caa7f0edf02c35d1f479627c4f

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

MD5 75742bbf10df9fa3be5b48a5aa0b7a0f
SHA1 431d42986fd9d198c0edd3555991ad8b7be68822
SHA256 de198d6174ec79954964fbc1cf758e4e42f323615492540cce90d1f4432da226
SHA512 e5219a3ca7b4c9eb791128ca905b653cebfad4df751282ca1f0f28b5d026d5b24c420b4ee00c09e53106c6059e20ac9c2581e4997674accd892f5a76d05bc3ac

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\cfgs\setup.cfg

MD5 7d78a2449b45fc839f125b47b637bed0
SHA1 29528d84082fe773bbd0570629437ce66d9125d7
SHA256 45cff35c455d94d3832155bd0f7725d7f2734818e688258f033576d0e54cd5b5
SHA512 06b74bf4c906c029b3005ba600d02bd7815b4b14e4795548a89ead1669cd87a83ad00a4f4adbdb5414f73db1ebd0697b0f91029fb07ed6894e9bcbf833263a03

\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\api-ms-win-core-synch-l1-2-0.dll

MD5 eb6f7af7eed6aa9ab03495b62fd3563f
SHA1 5a60eebe67ed90f3171970f8339e1404ca1bb311
SHA256 148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02
SHA512 a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875

memory/2584-4018-0x00000000373D0000-0x00000000373E0000-memory.dmp

memory/2584-4019-0x0000000070530000-0x0000000070E86000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_05_09.log

MD5 f1b0b2ded080411146a0ed810d39da6a
SHA1 bef2475931ec2d0ca7506b2ec2755245c1251a3e
SHA256 1f213631ece79a64628871438e860cdc4e1f9d8ba45038c55345c986e01eb336
SHA512 2e42ffc373d1808a70aa23e1b2d87e1cbde90c4e363132eefa9552fb26d408b8b31d8c1ecdd3db1e1f55c9562344a65129b8da1912070095a89540ae60c3937a

memory/2584-4022-0x000000006D040000-0x0000000070068000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

MD5 399414494af9d9062c1f5d8a2cdfd373
SHA1 6d5e24562fb818c83ffd6940d1f2c0797b67876f
SHA256 d6722ffe62a6c0c635975a38b5a2cf593390e9ee52c72b1f778c2f5b49a1eb60
SHA512 3285e12bfcb320fe0d3221812d10141f50d9e9d29b198008b43d8926f8b92262f854943246eac5bf046c878c1ff1166d1ef3c2f917844ba4cd34ec4625e1ee5a

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe

MD5 144c48713c3dcf8961602bc008bc0fa3
SHA1 47fe6c8e5d35cda6092d2aa1ca119b3b097858e2
SHA256 9ab28c6f66d8900a2f3b3d78c0f1ea6cc1abd55e86c17422c0632997800ac846
SHA512 0209e683ca66750e9ba44e47da08a67017bf460e669e7d36998e5504ab8114c8004760457a503c447eb890a0e05fc82cc69b713cab4062a815176be3fb3721a8

memory/2588-4104-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

memory/2588-4105-0x0000000037040000-0x0000000037050000-memory.dmp

memory/1240-4103-0x000000006DB20000-0x000000006DB30000-memory.dmp

memory/1240-4102-0x000000006DB00000-0x000000006DB10000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\cfgs\oem.ini

MD5 223673e5e8d77083765b70ddf7a0f7f6
SHA1 3b5c4d6304ed6ada0ec607f44a2aace24ec16126
SHA256 9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82
SHA512 62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52

C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

MD5 d85bea0be54d2d7fb5e617933c98e05d
SHA1 58c22cd9e5667faf13187912d3084ee57751b896
SHA256 e87522fb06ed709ba8b93cd35aab296ca9d91ca6208b97bac6bce26c1c6481b8
SHA512 7ecc093c76d3e5ec57e638d053d482338c2df1bce77231bc272bd5e9c2199180dffca71dce376b079b16392dfa24b37381ca4e77c3f07478328ac5002516d388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LB787TB85PX9OY73744L.temp

MD5 d6d46e6255ae090688677cb7354fdf05
SHA1 d7ebf2b57dae41a3e687f9c33d0cd8c3747664d1
SHA256 e0b22289d154900ecb9450e3ca3a226d31e5897aea0b49547c3b2917878fb5db
SHA512 391a5f203cdb7f8c9c5881118d43921722fca90d607030b244e9d35cf9d66bf4db4b37634a749433ed82f94172a27bf7dab93ee56dffa99c74b8a41f3990ab7e

C:\Users\Admin\AppData\Local\Temp\Cab1A85.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1A97.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_05_09.log

MD5 0697f543b40a0db5e1c5a04af64ae693
SHA1 3bc891eef4d66ec28f1244a7a84bab49a8c2f6eb
SHA256 4211540acebe3a4f81dd83785d56f1e4728f4cdf568f171d536699483bc1f059
SHA512 96f477def67f0edb347ca0ebd36361c08e496ab349a4fa43fe57dced45d891ec50310f4ef2d6258e43cf0d0a43180280fad38034f388eec63150d4d06e4d8bae

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

MD5 4575dafa42048d7d0cbf2607be66036a
SHA1 31614b05ee0a24626fca02d95c0f39716d3f267e
SHA256 0801c8b80a4f94fb3659e57fa10c601ce6b98ebbaf33e9928c27dcba4b321803
SHA512 f48dd6ce186136577ed42bf16ad1265c04ba39de1d03b4c8b8166e7b644bc467aece4a351f4a440ba8b920ac9b384e533b9f696b2ad26ecb8b06f75a5ef29631

memory/2460-4744-0x000000006F160000-0x000000006FD0F000-memory.dmp

memory/848-4752-0x0000000068CD0000-0x000000006BCF8000-memory.dmp

memory/2412-4763-0x0000000073E40000-0x0000000073E43000-memory.dmp

memory/2412-4765-0x0000000073AC0000-0x0000000073B41000-memory.dmp

memory/2412-4764-0x0000000073B50000-0x0000000073E3A000-memory.dmp

memory/2072-4768-0x00000000373D0000-0x00000000373E0000-memory.dmp

memory/2412-4762-0x0000000073E50000-0x0000000073E53000-memory.dmp

memory/2412-4761-0x0000000073E60000-0x0000000073E63000-memory.dmp

memory/2412-4789-0x0000000072640000-0x000000007264F000-memory.dmp

memory/2412-4788-0x0000000072650000-0x000000007265A000-memory.dmp

memory/2412-4787-0x0000000072660000-0x0000000072683000-memory.dmp

memory/2412-4786-0x00000000726E0000-0x0000000072829000-memory.dmp

memory/2412-4785-0x0000000072830000-0x0000000072CA1000-memory.dmp

memory/2412-4783-0x0000000072D10000-0x0000000072D13000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Local Storage\leveldb\CURRENT~RFf772913.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/2412-4782-0x0000000072D20000-0x0000000072D25000-memory.dmp

memory/2412-4781-0x0000000072D30000-0x0000000072D33000-memory.dmp

memory/2412-4780-0x0000000072D40000-0x0000000072D43000-memory.dmp

memory/2412-4779-0x0000000072D50000-0x0000000072D53000-memory.dmp

memory/2412-4778-0x00000000737E0000-0x00000000737E3000-memory.dmp

memory/2412-4777-0x00000000737F0000-0x00000000737F4000-memory.dmp

memory/2412-4776-0x0000000073800000-0x0000000073804000-memory.dmp

memory/2412-4775-0x0000000073890000-0x0000000073894000-memory.dmp

memory/2412-4774-0x0000000073A60000-0x0000000073A63000-memory.dmp

memory/2412-4773-0x0000000073A70000-0x0000000073A74000-memory.dmp

memory/2412-4772-0x0000000073A80000-0x0000000073A94000-memory.dmp

memory/2412-4771-0x0000000073810000-0x000000007387F000-memory.dmp

memory/2412-4769-0x0000000072D60000-0x0000000073263000-memory.dmp

memory/2412-4766-0x0000000073270000-0x00000000737C7000-memory.dmp

memory/2412-4784-0x0000000072CB0000-0x0000000072D0E000-memory.dmp

memory/2412-4760-0x0000000073E70000-0x0000000073E73000-memory.dmp

memory/2412-4759-0x0000000073E80000-0x0000000073E83000-memory.dmp

memory/2412-4758-0x0000000073E90000-0x0000000073FAF000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\plgpack.plgx

MD5 ac0da90737a20a2a73b5df5ac2619c6e
SHA1 19c4382092fda4bc03398a36f9f498f09a67033a
SHA256 365a590c88cbf825e84b51f398007f05c5e8397e3903950f9860d04067b2ce9c
SHA512 ef8a4b387912b879adf5ad4aef9259ae2b67c2dd62a1c8268cff0b1577e330113e16f55de0a23f3b61add3283c41d131703c0472d3828b0e0a0619d268f524d2

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\krpt_1.0.0.107\download.7z

MD5 0edafbd62638a75ae8b4debc9fd0b3db
SHA1 814e953384ee2771bfcde0584b0f6f5691217ede
SHA256 3332953a07daf624094590bc8d2bf9d4ff1ec12c53a43a7310efa11c7cfb71e8
SHA512 ab42c6b7922f7137779417bdb5246ff660133f8d566a54fd067ecf787d27ffaee1d65704a4b9574a6fffede9b497b93638f558ff2689d375017d5b074ec88120

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kvipupgradepage_xa_1.1.2024.1\download.7z

MD5 d791a4c5021c3934aa216b9bf5b447d0
SHA1 f954fe837a9fda1f8172280beb2fe9b578a71a51
SHA256 1af1948f4c1f6f753b3a920a787552a072d88c060b7fd3a834343f0dc9f2fbfe
SHA512 32b91c12d8922ab3dbb9735770e8533c3de84c9562c3725606d42d50b3acb97891eb65660c7bdd36684c7fabca07e054aa8b4b667b6f701213e33f08a187bdf2

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\res\index.html

MD5 66bbeb8733bee0c788685880cc46acc5
SHA1 07d104aa23fd4ad765095ea771667e1440ac6bca
SHA256 faf96f1472b09c6eed78da690151b5b57133733e2f562dc6678602746a79342b
SHA512 2d919a92b2c425d0f08d609fd825de151c5ce54cd31d83405054fa84194c85568ba512af4f1b38136c12152764ae0ae34441f36b4f23ed5ae74438502b0d1558

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\res\static\js\manifest.js

MD5 af5a4ff62384fe67791d8cde9176ac0d
SHA1 cf5aa9528fe795b75a569352466ad944652185c8
SHA256 5d1122539ce1ae98804e216cbfcada9f2603fe4f86454b2b29e7d7448da97891
SHA512 f78a72b7ba06b257fec3a97bb62d20f7562212e995d62438bfe3d8181fe7f56c3e14194e9203e64b0e259a7cbdd900125f5f185bc8d736c881f8ca0e2920273d

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\download.7z

MD5 ded028d22792f4a299acbd2d410e5f0d
SHA1 940944738e557237c0099117c635da874cf78263
SHA256 20d84711493557b73f42b31171cc6840a8079248209768ddc75d10da46ab6bc4
SHA512 28ff645f3e78ca9a88cbdaeebb47504178385627d1fbdf68b099901e8db3afc470251413a453c82e7633c232a7c4400789819213fe79e7e3518791775f8d54a9

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.193\download.7z

MD5 3b91ab7795510566a0cb254022445a1b
SHA1 2894a929aaa08aafc6bc74278a1511cec2204223
SHA256 223f4d92777f385e8ac9f8055ce1362bbbcfa525e36933605481abfdf8f48c79
SHA512 53ac22c66f8883781d2904ddbc40d72fcbe9bfa586b5f4e1c083dc7ea45076ad1d2bfa9de2ce5e04b3c8bc9770f633249103761d7874e56662644d07cd502db2

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.3\download.7z

MD5 54079bd7a79b895706cb6ad73cc4c627
SHA1 45068e27f84dcd16044f4628a020629d0360d8b7
SHA256 355d005cf859c66b298bf475fd646c67ba5fc952c9f670f1b964714b24f197df
SHA512 94d65c7336e0e8597a83c633dd734157ed17d03f9317b9857141724af6b5948c20f82180b4127dfac6da3dadbb4d8aea7ecf5d23d92e87ed719a480a5b1a6c68

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.3\run.ini

MD5 ad3a68e7d8c8bf2470282567d8ca7ded
SHA1 addb5ab04165b4743ffb985918c08ba0a76a6eae
SHA256 27e743bc78f9a2862d822fc171789160905ee26545466f93052f8565aebd523f
SHA512 c8e4b63fb79c365cb48a0ee0c4351f6f94da9ba8ce62f0b14d8ed45726ebaa478f581efb37e254e75e1c561f5ffa1d8985e867957c68c04b8eaaa2945e838505

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Local Storage\leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\download.7z

MD5 87eddda6cfc1c6e1c86e1b3b371f369d
SHA1 7910a432cc964bc1e1be51e0cef2e986cf54eec2
SHA256 4cdfc143513060130052f306c0a7cb93731967dabbbfa22cf892518bfb0a6d5f
SHA512 c7bd1162cd851672e9f5ed21e8fb88d734232360be0433e98a82a9f04a4f35e2f59ced11716244f3f30ca021eebe111ef9b6e7df5eaa1c356ddc75f99445cdc8

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\pdfwspvreg.dll

MD5 ccd17aaa7644b6979f661e7c72fa077d
SHA1 9cfb25754ac4a4ed487ce6c4655ccc78b5aef975
SHA256 b5245881da869ea02155d4052eda1390339c87496da055f85c3985a912e0401e
SHA512 2199d618af0d3fc948f4c39700cc8cefa07ed75db29ec348c71c013678a9ec3befcdcc5c3cb1d804abca5df4c3e6aec10caddb29188f28fc27313d6609dc2a49

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\run.ini

MD5 0d914e316c8fc542e5685b1598899979
SHA1 52e575fc0c66b60cd79d29ae4486944cf06995b0
SHA256 484e6146403c96eaeead06a97a8ed86d67334a9185bf009a44f7b1cbe5402e2a
SHA512 77ca461895bc65f31dd8fc5182dbed383804b4d3315e210bf65195776510bf9c09c11d87589796ec1bd272f67762e5ba28be4d64b8a58f2577cb6da79dbd7319

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\qing\plugin.plg

MD5 1ff60a068f44142fa3224b08b945678c
SHA1 42e2a481ab3443a2b69bc95dd36777f45f2ebbf2
SHA256 f3a2fff28be165f85dccdb23ff7d5b252d4498dcfa2db604cec8481dffe799e0
SHA512 6082e3b8b9fdcb3ec83cc9aa16b7fcbd320dd18116f3bdce948de50d8504a824a33490472e418ab165dcb2b61bcd030dd5a8cc92ac79decd199ca78288914315

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\mui\es_MX\kdiagnostictool.qm

MD5 5afc7d8ba894df59c2b3f44726cfc2db
SHA1 a21a7a8fd943455fa47cc5d950603bf1bc5a145a
SHA256 4824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be
SHA512 a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\mui\fr_FR\kdiagnostictool.qm

MD5 62f3720e184f094c874fe0eab7f0f598
SHA1 cdd858a80bbd1268e7c5278ebe19c35659871d2b
SHA256 bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14
SHA512 14f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\download.7z

MD5 422a47b49c81c94a1f10078e376096da
SHA1 b2454a1d09f83138c903d9502c32124d6360904d
SHA256 9b9eb4c2cec67ed2aa307ed978701ddc86f0b63ab63fdf9b3430a91237a5f59c
SHA512 2803ae66ca2a6b2e4a4881a1266c02048d8d4a86a9ffcd01696b4463d3a18846261877933fa4cff503ca984d59976effde7de0db830b96fa4267c4d41ebcfdab

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsbox_1.1.2020.213\download.7z

MD5 f3ff3c47ae68b0e6234b72d354ac191b
SHA1 26c380b44ad61b258a6de56c75c7f568d8c0f876
SHA256 cbac9ef94e6c6dd11019653c64bec6a3e6970779604555f5f77974258c214333
SHA512 43f892f5172b03e4e7d8f3f3632012ca62a7cb104f26d7d746005abf94472eeff881087c1ca73483f1079f21befe321af7372c6e17b26bd77f8fd9a03935ed95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3AF5.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c1753d9e1d105ef6c0ae981f758d153
SHA1 8b934fb3e009d0eb3ef5dc598d473afe1c66052c
SHA256 92b626b176928c3eb72385c16297e2f154e04467af1d57faa373c21ace1b8ac0
SHA512 3efa57a0793195a2db46e233122382db32fbe1c588cd9c0a87bc9cb275e0a1ab957c6ece17b5689716927ced15241120ce8dfd74aab7b1275aee66badf10bb75

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.9\mui\default\icons_svg.data

MD5 cfab0f157385566514db45630505743e
SHA1 22fd33d784d7e92ecde36c0bac58c7b0efa6bf01
SHA256 80a03cc09cb0de9a155f9cff1f85b8f10dfdb89759944380da08ade1de6b9e7a
SHA512 0b5ce5bf919f8ad1f86d80412453ba578d240aaf817bab95e7cca50e9c094b40d6ade25ca33c5fe8b86fe74617a1944730bcf1e969e007966acf11d431d03a7f

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.136\download.7z

MD5 31bdb9137432706b904e8dfcdccde030
SHA1 d26fd902b9bc1048731983854ac605e894075130
SHA256 af28e7d61a9b2467a78098341ca188626a90acfa0df4b8f81587d1c35f89a55a
SHA512 119341029755a087f45a32d3d94dc320fbbc7f599ba9ab20dad4479e1a08d24eb7799cdefcb47051ba835e7fe2c220e4e153a3d660b9a22e2a56cf82910e0280

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.136\run.ini

MD5 da4b75c3d70c08be415e7b25abdc11cf
SHA1 c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225
SHA256 e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36
SHA512 0fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.9\download.7z

MD5 820d0d38598cc67166dc5916e50843ae
SHA1 bb5b07d1b80bcd21b48da146e9c910ef778293d8
SHA256 7262c3145aa2940abe1b2f5bb2a3f20147dcfa8e6ee9fed3b001ef51a784ba82
SHA512 599502b8285068af17647a843d38698a0f5469231da1d303996afda18200bc90538a7d91b0e7261917acaa00b2367f1471895dd851ac9052bebbf71e131d625b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpsbox\plugin.plg

MD5 2590ea571c92102a87bfdd67ea4c2198
SHA1 05cac266ea786c20b033d2d4e47bd52b44743868
SHA256 497d08eb919b25ec696d8cedeb37dd70438e963a3876eddbce65a5c3d6b38d16
SHA512 ab877c22d0f48f4a06f05fc7cec9717cc992d5619c97809e0462640b0e60c1c49e19f2a897fbd0964cff175008ee9d11ae02c820b2a9bde68e03a8250d8fe540

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpp\plugin.plg

MD5 02608cde8b78360e28afaeea1d19fc68
SHA1 bf726db0557421384fc8471e736b1ae77606f58b
SHA256 c76636ad3595186c5ed8b2720ba266b5d4ce7d4914de5f47ce7e8e55a0d00502
SHA512 3712c4f450ecf188f0460cae48ed191897d61390d3c46c1b834cafba8ae5102aeba6252f473af6cee2eff3c28f790c9030a4bfa3832379e56edee29a943e117e

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\photo\plugin.plg

MD5 4f1d6ac2c1e920761c52a2d9c0a872e6
SHA1 86c6daaa12c5b36dcbc333fd7f5cb0be7c7c936b
SHA256 6326a5629d8be738d11ec54e5127a32a06d989d62a72afe9546a665a81c04379
SHA512 94da0cd58e660fb1caa1854ff70035b447eb6a24c2887eaf729b19c7d207abf1005adbefb4d0503aa0d4217f2b709e183e7d425e115da681d2fdc9cc0cc52a6c

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\pdf\plugin.plg

MD5 0610281e36fec15f6d9c5b757a6fd2c5
SHA1 09eda1eb8d6f95f8ba607f02f1af227bfed887bc
SHA256 365d5ec6366728883fa4509e7b937ae0a575174f0924aa041c80562dc9bbe65e
SHA512 bec747070281958f0e261dd9add3e2bc90df23bc7792249bde1f7d7d52dfb1c481719ffd3fc5a0acc75b4d20edc1059064afda71aa135aab7ebe1ec4c4f17dfc

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpsoffice\plugin.plg

MD5 90abe12bca7b280b363c545b461831bb
SHA1 422660560fdc23c93b3206bd863996d4d552c9a0
SHA256 1dfe4c8aa454ad5ca6d96b32db5a886458acc95b1c693c8faede4ab229e17965
SHA512 469de76962db937062edad100c225d5352d730f3df34549eb4835bbaff1a1e14019658a4d93fc9a1d2a85157e6b83b3007b956d71f5f8c930525b4165de92509

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wps\plugin.plg

MD5 aa556ae2a76725f3ef5655f16ab478f8
SHA1 0dde21b78e390181d3233d74946913703f336dcf
SHA256 854794ca8530d34479cb8205f16749006ae285c7d2dfcb2cdf98b41a880122eb
SHA512 8a6127af209b1590761928bb9043eb7975588ffbf2ab4c5b1ed5a3c4e6fd71c266460f661636af8f0e4de3bf5094985d3b8dca061f940d296a61403cff716afe

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\kappframework\plugin.plg

MD5 773c95535f7eb6a316b5ad63a15a2449
SHA1 7fb34309f5f5bf1fb769370f5bde00091e6520ac
SHA256 ef7a43d0cf98859a7418b8b2f65ee1a140dfbd608fa39d714786c64968d214af
SHA512 7137edccff0eebeb8196a3e5cf94c69d821a1bd566fa8b0649bcff17a12fa013212e609dca9b05346142e91b427825d3657489928a1affd46e046c4d77a5454b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\pdf2word\plugin.plg

MD5 1d0fd57efa2cd6d7db0078b3cb6fa54d
SHA1 3da7bfb85e030fb1e137a3fc006b5e630e3cf594
SHA256 3cb7b3a5d576b96f4cec9a0168570f494b77336a55c9123ea1deb7986ca8aa2f
SHA512 5633d8e1a1e60c213ebd804c5292d635119dc044b2adff91805011d4bfcf1da5ae962544684ad96eeed3a8a31a82d3ee00c026a5f0abb65e8711a7d1e2aac767

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\et\plugin.plg

MD5 1c97e9eb8c02d24e794c4826339cde61
SHA1 419d0e62b0828b9f45d4589abf6c7938d8c4618f
SHA256 71f5db321dbf23853ceff4aaf2139987da07617774353e405b0b3532b6623c9a
SHA512 ed95918d92c95b1c41368f0c77d4662ab4c1f3139d9ed6ea689660530fdaa506bb81920cd02ea16768c902b8965f70255bad0a5006cf08e2761a35d6fa7c3af6

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\premiumcode\element-icons.ttf

MD5 732389ded34cb9c52dd88271f1345af9
SHA1 8058fc55ef8432832d0b3033680c73702562de0f
SHA256 a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2
SHA512 e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\premiumcode\element-icons.woff

MD5 535877f50039c0cb49a6196a5b7517cd
SHA1 0000c4e27d38f9f8bbe4e58b5ce2477e589507a7
SHA256 ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17
SHA512 da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\vippayment\assist\base64.js

MD5 12477cb6bc99f90086f05e54ea7dcbe8
SHA1 4009eefda873514a6579830888d5f12c50d7b3de
SHA256 6520eca957e8a4d7e68e0dfe17f1cea9d42c6378962f454e7a911ff32e5e6248
SHA512 a7a16f935d71f60bb382622ff781a3cef234865efbaef62ee268163a416bdd9ea285f33c843fb729cf8b8eb6d18a81de5311b01d19b48c998b08d79f29e59d13

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\download.7z

MD5 3303884fbf771d8e3dd645bbc8bd76cc
SHA1 cef8fe59d3161645cec87eae5d8d426604e4f2a2
SHA256 77756cc9c3fa51ec2bd20a39f9c3ffabfb152ac4dd285bf8befae228971f7cf1
SHA512 053abe0567cf8e99c49b9bf3395dd5e8db1c360dd4805c516c9c97ebe0532b0a9090e6fc2f41fbaa910fae21e594d2850729dd527b72dfbbceb53e479f874b62

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\pdfwspv.dll

MD5 4c6221b526433ba802635e2fa0d53ff2
SHA1 059bf2b126ee3b901b7a9dee8b53c7e648cc5ebf
SHA256 300994947e4af25ddcea546e285f9d35131e7efa0070d9855d873646d4a73177
SHA512 b1bdfd321ca6b788948383902b9f317bb46a8abfffc4fda29bfd51381f96be9af35274ff7d62c761fb83b09a05e2bb179df6817fc631e67a315787b86f4b31f0

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\vippayment\main\img\loading.svg

MD5 544223e85768fd134633a1af9d5bf536
SHA1 5536a0023ddbfb2ab67e9ad8ca4d38c60f413b9a
SHA256 a3df9710c7e09fd8cffc14bfe45f5a1576deb1846ced44e5050b34caf5527049
SHA512 a5cacba054d41af8efd607074c02f36ab731b5d6bc9ffd3bd7ce6b09a4af09b31e29359eb965728d2a00849467b1af66e16186a0c07b4415b3b423a5ea4f68ca

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\download.7z

MD5 b940bcdf5973099a51bfe448a9ead54a
SHA1 4c1b47814c8620283b372d476d264209051c9e44
SHA256 76b12ee03d41b2957ba52a0c7a64de8022c048ad9eadb13b4c99ff08955ce085
SHA512 dc900f0a694d09e2d0cecb0082105df9e9dcd7f7cb0564db5983d8c4977f7f9323ea6dd565665ccaafb60b5b448c38f2c45ef64af4dfa55a051a263623ccd295

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Code Cache\js\index-dir\the-real-index

MD5 851a14f5b643c518a4a21bcd2533e187
SHA1 774677a7257b42356001ba3ca959a888b6750699
SHA256 72c39e61cb472d742965b77c08bc710f49c929d87e1c9cbebe7ccf15936284ae
SHA512 52610690910d7f65954195b24bc8fe11159afefd981234b2dd779602edf95f0fa0bca43efb27715ebd70256df41deb5903055c7fc9f5e3c808ed4443986bcd3a

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Network\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Network\TransportSecurity

MD5 15b627c2b2bec475096438725e10300f
SHA1 52f707aa0058c15cc1233546d358f9c0ef5815e7
SHA256 9948fd78fe53145670292e2dc291f67f22d47863e0f2b4c8e07987ef6a2f8976
SHA512 bab6b9aaf95e1061f7ddce392849e5dc1e635c1fa6403e765c2a504a3bda9e8534fd3de941f166b86bb20ce48f672942be04b5aff9f795b9bfa1990a08cd77a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 18:05

Reported

2024-05-09 18:08

Platform

win10v2004-20240508-en

Max time kernel

101s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe"

Signatures

Brute Ratel C4

backdoor bruteratel

PrivateLoader

loader privateloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700070002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wpp /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\refedit.dll" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wpp.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{A1BBCFD9-B54C-443D-BC56-0BC3840120DB}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /et /Preview" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /et /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /et /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\kwpsmenushellext64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\kwpsmenushellext64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{0C7FEF07-DCD9-4120-9647-D1CE32F289CD}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\KWPS.Template.12\shell\new\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wps /t \"%1\"" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{0002085B-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WPP.POTX.6\shell\print\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wpp /n /p \"%1\"" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C172C-0000-0000-C000-000000000046}\ = "IMsoDropLines" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{74D13AA5-8894-4B69-BB24-61F21CFC8FDC}\ = "IKdeExtender" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020940-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{0002093A-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WPS.PIC.pcx\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\addons\\photo\\photo.dll,23" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00194002-D9C3-11D3-8D59-0050048384E3}\ = "ILicAgent" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\KWPS.Document.12\shell\print\ = "&Print" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{B5828B50-0E3D-448A-962D-A40702A5868D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{50BAE224-485B-41C0-9619-FCCBF83CC76F}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000244B1-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C030E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{07B7CC7E-E66C-11D3-9454-00105AA31A08}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\KWPP.Template.9\shell\open\command C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\KWPP.UOFPresentation\CurVer\ = "KWPP.UOFPresentation.9" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024445-0000-0000-C000-000000000046}\ = "OLEDBError" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208D9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WPS.PIC.pbm\shell C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209A1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{52CA3750-AAF7-4525-B401-F8BACC417C33} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024421-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.pot\WPP.POT.6 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91493440-5A91-11CF-8700-00AA0060263B}\2.9\0 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000CD6A2-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000C0372-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020991-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{8FEB78F7-35C6-4871-918C-193C3CDD886D} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{AF028401-4619-4271-AFDD-F480FA925186}\ = "ChartCategory" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244C0-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WPS.PIC.ai\ = "WPS AI Picture file" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0363-0000-0000-C000-000000000046}\ = "FileDialogSelectedItems" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{DD8F80B8-9B80-4E89-9BEC-F12DF35E43B3}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{CDE12CD8-767B-4757-8A31-13029A086305} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{91493477-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002443B-0000-0000-C000-000000000046}\ = "ShapeRange" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C031B-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020924-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002443E-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024457-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\BrowserFlags = "2147483808" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.dps\KWPP.Presentation.9\ShellNew C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ = "TableStyle" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{256B6ABA-6A38-4D39-971C-91FDA9922814}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{656BBED7-E82D-4B0A-8F97-EC742BA11FFA}\ = "XMLNamespaces" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{914934E9-5A91-11CF-8700-00AA0060263B} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000CD706-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{873E774B-926A-4CB1-878D-635A45187595}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C033D-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\KWPS.Document.9\shell\print\command C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002092C-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\KWPP.SecPresentation.9\shell\new\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wpp /t \"%1\"" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024452-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0353-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0365-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00020950-0000-0000-C000-000000000046}\ = "Row" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{F152D349-7D20-4C01-A42B-2D6DE4F3891C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000C031E-0000-0000-C000-000000000046}\ = "Shapes" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{A98639A1-CB0C-4A5C-A511-96547F752ACD}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000208A0-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{5A90588C-C066-4BD4-8FE5-722454A15553}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\TestSignRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\FlightRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\FlightRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\TestSignRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\FlightRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 1328 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 1328 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe
PID 648 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 648 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 648 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 384 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 384 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 384 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 384 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 384 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 384 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1820 wrote to memory of 2156 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1820 wrote to memory of 2156 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 648 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 648 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 648 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 3740 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 3740 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 3740 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
PID 384 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 384 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 384 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 3616 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 3616 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 3616 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 3616 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 3616 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 3616 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
PID 3740 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Windows\SysWOW64\regsvr32.exe
PID 720 wrote to memory of 2232 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 720 wrote to memory of 2232 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 384 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
PID 3740 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
PID 3740 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
PID 4448 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 4448 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 4448 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 3740 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
PID 3740 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
PID 3740 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
PID 4916 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 4916 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 4916 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 648 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe
PID 648 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe
PID 648 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe
PID 4264 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4904 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4904 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-09_4043a9ea54c94b3bbf92ef312f004fef_avoslocker_magniber_revil.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe

"C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office"

C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe

"C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1114.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_E5857A1 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -installregister sharedMemory_message_E58B8EB -forceperusermode

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -installregister sharedMemory_message_E58DA9C

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -sendinstalldyn 5

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3616 /prv

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kwpsmenushellext64.dll"

C:\Windows\system32\regsvr32.exe

/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kwpsmenushellext64.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe" /from:setup

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe" -createtask

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\html2pdf\html2pdf.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\\office6\ksomisc.exe" -defragment

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=autostart_after_install_onlinesetup

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -getabtest -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -getonlineparam -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=3432 --field-trial-handle=3528,i,15207497565761774007,9471184186793009607,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=3828 --field-trial-handle=3528,i,15207497565761774007,9471184186793009607,131072 --disable-features=TSFImeSupport /prefetch:8

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3116 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=4108 --field-trial-handle=3528,i,15207497565761774007,9471184186793009607,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3116 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4196 --field-trial-handle=3528,i,15207497565761774007,9471184186793009607,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3116 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3864 --field-trial-handle=3528,i,15207497565761774007,9471184186793009607,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.136/kdocreminder.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run /InstanceId=wpsdesktop -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kwpsbubble_1.0.2024.3/kwpsbubble_xa.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.136/kdocreminder.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=1984 --field-trial-handle=2372,i,10507066407987126057,7707951872354157368,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=1996 --field-trial-handle=2372,i,10507066407987126057,7707951872354157368,131072 --disable-features=TSFImeSupport /prefetch:8

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=5408 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3100 --field-trial-handle=2372,i,10507066407987126057,7707951872354157368,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run -User=Admin "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -regpdfwspv

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" LocalService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -regpdfwspv

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\pdfwspv.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 api.wps.com udp
FR 90.84.175.86:443 api.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 86.175.84.90.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.84.16.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 235.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 params.wps.com udp
FR 90.84.175.86:443 params.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FR 90.84.175.86:443 params.wps.com tcp
US 8.8.8.8:53 abtest-api.wps.com udp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 8.8.8.8:53 movip.wps.com udp
FR 90.84.175.86:443 movip.wps.com tcp
FR 90.84.175.86:443 movip.wps.com tcp
FR 90.84.175.86:443 movip.wps.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 dyn.kingsoftstore.com udp
US 44.241.73.87:443 dyn.kingsoftstore.com tcp
US 8.8.8.8:53 87.73.241.44.in-addr.arpa udp
FR 90.84.175.86:443 movip.wps.com tcp
US 44.241.73.87:443 dyn.kingsoftstore.com tcp
US 8.8.8.8:53 cloud.wpscdn.com udp
GB 18.154.84.11:443 cloud.wpscdn.com tcp
US 8.8.8.8:53 11.84.154.18.in-addr.arpa udp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.154.84.11:443 cloud.wpscdn.com tcp
US 8.8.8.8:53 29.123.145.51.in-addr.arpa udp
US 8.8.8.8:53 ai.wps.com udp
FR 90.84.175.86:443 ai.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
FR 90.84.189.232:443 tcp
FR 90.84.189.232:443 tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
GB 18.245.162.69:443 tcp
GB 18.245.162.69:443 tcp
GB 18.245.162.69:443 tcp
GB 18.245.162.69:443 tcp
GB 18.245.162.69:443 tcp
US 8.8.8.8:53 232.189.84.90.in-addr.arpa udp
US 8.8.8.8:53 69.162.245.18.in-addr.arpa udp
FR 90.84.175.86:443 ai.wps.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 ovs-activity.wps.com udp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 d19a1mtic3m6gl.cloudfront.net udp
GB 18.245.187.6:443 d19a1mtic3m6gl.cloudfront.net tcp
GB 18.245.187.6:443 d19a1mtic3m6gl.cloudfront.net tcp
GB 18.245.187.6:443 d19a1mtic3m6gl.cloudfront.net tcp
GB 18.245.187.6:443 d19a1mtic3m6gl.cloudfront.net tcp
US 8.8.8.8:53 firebase.googleapis.com udp
GB 216.58.204.74:443 firebase.googleapis.com tcp
US 8.8.8.8:53 6.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 43.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
BE 64.233.167.156:443 stats.g.doubleclick.net tcp
GB 216.58.204.67:443 www.google.co.uk tcp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 156.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 d19a1mtic3m6gl.cloudfront.net udp
GB 18.245.187.6:443 d19a1mtic3m6gl.cloudfront.net tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\pl_PL\style.xml

MD5 034f37e6536c1430d55f64168b7e9f05
SHA1 dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA512 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 958fb5d02529597afcd0d1a6035db030
SHA1 4901145dee5a7d28d20ef600db5f520aac848fe5
SHA256 df29a08f94458e41f14da0d9adf78648da131ff6496d7ab295d446f2b8270da0
SHA512 c660e99afd19e2db5c81b54cb43d90662eae153973099af6fee7b5440c021d2bfcc6c539898b5f7eb2347b0be70f5d137b9d9edb9e7196b8003c7d6f719c0d2e

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 e701c560e01687ac621b2e96f0d5a95c
SHA1 0e155eebfdaf7ef21aeee03d5388e75c30523c3c
SHA256 ccc03a551758847edb2037aeb24f708c6747af2bcbbcd93ad62cf8cfc28d0e0a
SHA512 08ee309e9dcec224aa27afd709ece27c1cd0a3e4561847ccfe73c58a04d8b687e207872ad1616feaeaeb80d30a6c61cd6ab7cb260228a56e2fc214ba4c503d7f

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\product.dat

MD5 e568b6577db690b099db51338853f0be
SHA1 2d24319c334b6319bb19c580f537e6339de48bc5
SHA256 257f1947e656eced86713f72deea7261afe30bb07e9c4f109ea29a6c2df63f16
SHA512 16cf5f031bd8a3e1998b350913d7963140c95ef75e8cac2a5f878a9d3c80691fae24463ad9af64a426fe97dc78a0f51edf75b4a92429191c0809bfcd0f0aefac

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 c38481658f9149eba0b9b8fcbcb16708
SHA1 f16a40af74c0a04a331f7833251e3958d033d4da
SHA256 d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2
SHA512 8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 c6d0b55760f9fc57e8b7db4ce772d98d
SHA1 25c820327217206fd6b5967d03dd3d8a53eb89f9
SHA256 9371c6244b5e0e854db980b33fcab149448a22472f9e206b802d6561f5f856c4
SHA512 e800315888cc059cbe3c30366d37a4b8c227233f3f185a0414ac0bfe1062f0a4e24f8e48ff648ca623a91c82815d01b5c2ea0cd80a036c5d6234ea7116730b55

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 a9519168ca6299588edf9bd39c10828a
SHA1 9f0635e39d50d15af39f5e2c52ad240a428b5636
SHA256 9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3
SHA512 0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 b3843e058782a993918045cb73d84e25
SHA1 dbbc24f2da2e5b9b94a00aa41c08935be184c12d
SHA256 aa696dc9058ed7987675837be2601edd28306a42153d5112dacc9b156a1fceb1
SHA512 3c237aa06409d774f6bbd3aa1116677a39f5f8f166dfcfa2fecab9d266f5b247bb9d2d623ce780631f857366059ce204912c039c7b5352cd2d5a7cbfb748a10e

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\Qt5SvgKso.dll

MD5 74f1aae0ad9c77088879f0f068603b14
SHA1 4dc66aca99fca616801e7e1e08eb61e87ad65ef0
SHA256 6bf93e0575acec1c1bccf7e4d33a4c9a4f12c51811c41ed695115bcc60081d4f
SHA512 dcabee00b11db242552827663bd8eaba89bb94e4ed2f02793467c21630124074acdd1d55682a56d9b5875b3626ccff99cbab666ebdc8820d1bd4d058ce1ca029

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\msvcp140.dll

MD5 5fd0772c30a923159055e87395f96d86
SHA1 4a20f687c84eb327e3cb7a4a60fe597666607cf3
SHA256 02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d
SHA512 132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\vcruntime140.dll

MD5 e51018e4985943c51ff91471f8906504
SHA1 5899aaccdb692dbdffdaa35436c47d17c130cfd0
SHA256 ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d
SHA512 2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\Qt5CoreKso.dll

MD5 8104fdcc2caa3b42b140d8498eae6cfe
SHA1 1413352da713c786d1ff9be2eddda36a8245a8e5
SHA256 5a3ea2eee0535589b0de2c1468891c2285570136257261eb50c2744bf5d8fc9e
SHA512 20f83309437afc57bd4ef58d48c54c229482fd10e3b0e7e93bc8ec637dabb6ce7b6ab67942d97a35b0ff7c8694d054fa3f87a0050c04678509be99cddfaaf675

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\Qt5GuiKso.dll

MD5 cd71405fd88a13daeaadc9122878f294
SHA1 2eb6ca95ede0507b7fd0fae164b34cebb61dd639
SHA256 39963edad28df386ae535070b20371a5ba4de445912df1b1cabff915c82364cf
SHA512 d573962fd3f15f6701477b328d3395a5e4c78fd847e5e7123ab7d58d5e3d51d959765f16e6848fd879e0c527ccdb115aa312074905380a3ac4881dbaca316fe6

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\Qt5WidgetsKso.dll

MD5 4cf25152e7fdc3863d35ab01ed7e5f95
SHA1 bcf5d327cbd6d6b3903d47c63516d81f56361229
SHA256 c70e1ad07aa161eb6dd42fe5109c910ea358935c653c0082654f6810df844b5f
SHA512 706d2edb3c9f4a32554cf07d5faeaa2b7aa8d22f0f0c0076541efd73e093387dd264026dcbae7b790cafd260257288449048df7b277f8407278bf127da669a14

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\kpacketui.dll

MD5 74db79ac13ed0fff6188bc715c885d1f
SHA1 550dc1e295285ff5b9f0af44bdf7df6504c08de2
SHA256 ea52c2e5a544634cb9c3af20eb4ef25cc6d572d606e88c7427bfbfc7f3706aa2
SHA512 dd7a2d90bfe6103e0aa72eac8e5669fb6a18d0b88fb5da5ec42002ff2f5bdcc7bf733f1d3ed6b64e74f109eeb8463cc6a176cff30520f899729ce0e0bfe9f52b

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 9f471c987bb028f30b5a51ca83fc5586
SHA1 d91252f67c70e1b17138133c0d31463da1184176
SHA256 555c000fdbddab11c017da8055f58169a55f8772dbac78ca8e4572a6553db071
SHA512 cc42fdb7ff0d20f485e9d5bcf7df5bf3b79e626ef44c3cae23e9179cf97b197564cb73fa4f2521495f95a3e337c1f0d533f6d3f2c36900a84dc2f546ef5e9474

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 e128074d836e990fa6e8c20c16598f6a
SHA1 16c786082777f3f80a486d2303360e06f63ed599
SHA256 88910fcdc54e2a80a7ec124920cf0af8ee1221480c2ebfd181555ec6e6a9088d
SHA512 82e95748595102467b0248a7981137e269b8c6123f5383eef40017a0fe41141d59156a6b48bf6d574ed60d8d7929a9a9f34ccb8e07e5089af4ca100a9b765526

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 d2a04dc52ea4ffcadb4881c9c120b9b3
SHA1 5ff9b4de60e3868697d81fb910b373c7c0a7c4a5
SHA256 271815def5e81d60dce20a982ad9cec1dc08fb43bf37a29c1266a5a367e5f3fc
SHA512 3ef40bf306275ff0202d24209274f7a00acf268763ff3e7d5abd81c84b2a398701a2b317aa00e67316b74aef734e11edaeb3e08fa2adeada77e6663cf143bf2c

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 6dd89155cc60c5daf2bec34971d45f56
SHA1 5c550dcaa072296d7697947e15daa629b78fae6f
SHA256 e32f73979f372cb76088df4ca8ee621ff9f853352d5236ee14854868212b601b
SHA512 9896a47418e15b13902cf5300f9331d818d94708f76949f56c28bbecc241e1c0aa153473bde30aa723381045decd01bc375ccdee9b07e00a31dbafa1f51cc961

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 e46f1a7908c83e116503f44f698e27b1
SHA1 ca4e4fcdbb815de66797bda5091111139c93c673
SHA256 5c04bfeaf11d8577872c0b8203c67301157a3e60b29269a6498f1fccc46906a7
SHA512 c2ebfe3944da340e52505a58c3afa93569e056fc14b233e333506dbf8a049123a786abc8823f2161a70ef369c69eb432ef307b8e1721a8afa00e7e1c0c533a3b

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 fb42ae50428830da2dce989a1298abd6
SHA1 995726fe756909c40aa34c8923fecae41725ba13
SHA256 1f4d56256b7839719849ee570f6da4d1df9c6c990e2cbfa26d3ff8bb99bb9971
SHA512 2c2541cf3a1dc8adb0a5ce863f1fc7cb6d4edf358cc7563603a6c110e8690a588d1c2801b952438d368868323f393d00da5bd8328cc62d732798400d656e92ba

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

MD5 c5ad1903526a9ca4c2f55cfea1e22778
SHA1 9c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA256 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512 e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

MD5 b4b4c703bf5c6c0b5e9c57f05012d234
SHA1 929aee49e800e88b4b01f4a449fa86715d882e42
SHA256 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA512 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm

MD5 2b42be10ddde43a0b6c2e461beae293a
SHA1 53888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512 be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\dbghelp.dll

MD5 3579da0e10644a74953f6158456b7793
SHA1 75007a9ac779d65dab95aeb8166b328d7f542af2
SHA256 520279e5806416e7f64809eaf0c6570d04e5c4d2e9ba912b53f7288639a5dc19
SHA512 8f46bf067495ea812ba515b820537dc39878e1486259365a414ed05fb47e28473b13cc2c2a939c772c1ef34f551d9b003445b6bd0210621a8d1dd8aeaa16df80

C:\Users\Admin\AppData\Local\Temp\wps\~e5854a3\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

MD5 ec662568b9acfc2930375dc40935823c
SHA1 d055469955e8c947cdba8063be36524ef29f78d0
SHA256 4c51ba181dff507f1b495e0a2c8ccad469b5a4eb51523e18ddb3a0b886f2300c
SHA512 ff9898df75781f91a443460161ac591f04e23f566ca85628ea9ce56a2ba15761ef4e6c23e8952371529efb9e96e4ac4aa16733ea710d1cb65fa2f450171f8f0b

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\qt\plugins\platforms\qdirect2d.dll

MD5 b120a3c32571f1ea2da38aa7bc3fb65f
SHA1 652d1cc2759e96df7c668b78501a609af5a6a045
SHA256 23168a629ec4bd8ab76ef93d32318d70643b0b7714f5be9534190075232fce49
SHA512 29283cc3be5f7609f921ef721366f55238456c8c0f574af30c65f6fb266ef699e09316aff5ec6d14b31090ad7f0e6d516d18f9a144df8317b0df0d71e81e7dbf

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

MD5 1cf5ce2a10c28fb4019916ea9440dc96
SHA1 e419ca40810f42a9dee168db832ddf0c8ea67028
SHA256 f8cec5ee25dca1bf99e0195e8ddb4413bb30b609a37922766d3d66f7858f9e00
SHA512 d55c8934cbc4b5eb853d41c9dc005c976ea856047c956b2af4ee7df5aca38adadbe6547b3b7b7a86548600c17f1f911fd04c7d89cb41a8144e3c916420a8a866

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

MD5 183330feb3b9701fec096dcbfd8e67e4
SHA1 2f43379fefa868319a2baae7998cc62dc2fc201d
SHA256 ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\cfgs\setup.cfg

MD5 dbc1484d0462d1a98710e28a3b95cffc
SHA1 b4ae98e6deac3f30bfc3890a50965db915420ace
SHA256 97574de78587e809699ffa12b600d17a31cbe9458d658b8507f6e200d42775ae
SHA512 998df8c85d5a4b79e77e125d09c96347e41beff5280153dadd105fede9b479144436dada7354636de0192887cee49d51c927ccd3ed1eed1fc9e376af1936b7ff

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\cfgs\setup.cfg

MD5 7d78a2449b45fc839f125b47b637bed0
SHA1 29528d84082fe773bbd0570629437ce66d9125d7
SHA256 45cff35c455d94d3832155bd0f7725d7f2734818e688258f033576d0e54cd5b5
SHA512 06b74bf4c906c029b3005ba600d02bd7815b4b14e4795548a89ead1669cd87a83ad00a4f4adbdb5414f73db1ebd0697b0f91029fb07ed6894e9bcbf833263a03

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

MD5 75742bbf10df9fa3be5b48a5aa0b7a0f
SHA1 431d42986fd9d198c0edd3555991ad8b7be68822
SHA256 de198d6174ec79954964fbc1cf758e4e42f323615492540cce90d1f4432da226
SHA512 e5219a3ca7b4c9eb791128ca905b653cebfad4df751282ca1f0f28b5d026d5b24c420b4ee00c09e53106c6059e20ac9c2581e4997674accd892f5a76d05bc3ac

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\Qt5NetworkKso.dll

MD5 890a5bf085167cf3aee0f4d57b7e05b6
SHA1 1bbfe7ca2cf0678b433790289cdc7db57d68e36f
SHA256 7d16714b843343e370ec36bda4a058280ba3528636c57a085b168c979f1f48c5
SHA512 e44385e82c2a85a63d3860f590003d9d42d2343a78e9501541208363e3ff9c76f46bc25f36fb7f326b13143fd259dfaac71e49caa7f0edf02c35d1f479627c4f

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\krpt.dll

MD5 f5f21888065a3972afd5758c74ee54e6
SHA1 e4e96da5b12d2e5576500659e9196439b08f5140
SHA256 2ba88cdca118999fa1f2e119de77d6324b16a0bd22997512d079d400cc6ef84a
SHA512 620120e00807775b1e3169389dd9baf26c48d3646f927594543055bebb00c81b81d4527549351ef7e7cccf8111d350feeeabbfe44ca434dd0ef57a7b2fb861b6

memory/384-4071-0x0000000037510000-0x0000000037520000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\Qt5XmlKso.dll

MD5 2e98c97ebf1a60c666d5052f33df4e35
SHA1 f09d55a5658e5b549378af28d698364663091101
SHA256 56b9e2981c0bdb628bb9b69c2266724695bdfcbbc0903528fbc6e7f415b1cf9b
SHA512 7687f06c3450b45d1c278b1630c00fb3a16f064ee1abc5a4026ccb90e19f2f2a61ec338653ae8b4a5629f2572dbe1c18a612628c71a81875cabe565aae2c3421

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\krt.dll

MD5 8074812fd986ca2116c219e35f1c62dc
SHA1 e9f72fad47ce94f3306d685a76483b013530916a
SHA256 bd346ef9c4f0118b841e9d7d0eb49749cb81bd2b549365c9be394046d956be71
SHA512 39332fd5084e497cd4998f6e18b3706f324d7b7f16eef7afecee126bdde28edb8d4897ffd204f4e40539001717bea2b08073fa2298dc3ef03f0fba6919cc24e8

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksolite.dll

MD5 469c2a814a3bc35c804764de29d30a84
SHA1 743c41835dd57a8ddf31ad0066ee07a541e21c27
SHA256 a04c4ebecf0dfe46bcd113726edb3ccb46575d655318283a88c02f75da6c1c32
SHA512 d08a0c990eb34fc58421e8f48c98d3c9a047814c73e46d71165e8beb5243191d56afa2179fac62da7ffd5555bcc22b447a4f6fb7595c6c66a8f80910b64439c2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kbase.dll

MD5 313c37e93083938c611b550fd2eb0c84
SHA1 a6fae473ab22d163feadd942f1e91bbb41c7e4f1
SHA256 502e848bed07fb2d9d8588cd0bfd38e349c6043f9bc44d23cf01e566db46066c
SHA512 c5239971b447e2a4fc63c10f542c9927c1a72af2809d48a09ca9dafeb50d9f1a736c208dd187b34b5415640819594f4599b06c5a93f7815ca6e6c2fc668e01ec

memory/384-4079-0x000000006F0F0000-0x000000006FA46000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\kmodule\kmodule.dll

MD5 87536f4c2646d5ba680390c3bc0e8275
SHA1 c50aed0c57627ee498ae5a10c5b6d7e6ff78d78e
SHA256 d7d4a28ee0fb1953375233d65b4fa1fdb0dc9c55d28bf1dd0829df1fab593142
SHA512 d2f52e97b22ec9e27ca8c02af177ab7fd8d68b139989ed62b6ebdc7bfd55aa906684dba142aa2f1100276dc83b97ab97d29677a95a15e1326da73022fb543cc4

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\kpluginconfigcenter\version.ini

MD5 4df8397c19b21a4be4baea86a4c463fd
SHA1 54c376c37f4323253aa1a4b8594743203fd6873c
SHA256 69d7ea0ffbdbbc5dcb51efe9a4759a57d358440c90b26098bf94c956fa6dd611
SHA512 bbe417b01273606e27de267ae5d7dea3541767e581742578a35857823acb25b327f55dc77d33975a66d9d66162da70704a93a332429b9a850e4f0a671a28e6aa

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\kpluginconfigcenter\kpluginconfigcenter.dll

MD5 e61c28b9cebd28c9475ca197f5ce818a
SHA1 cdff3381444f178a1c42ec289cf72673f62c71d3
SHA256 37ba2b6d32180ecd7bda9859e1c0b333e23f013f51d8da9cc89aa42a33335729
SHA512 e52007a4f5770553760511578ebdb7ad99d76484ec91005d00c03405197570b50c40537fcfcd30a7a0ba709e620fc499177d8b8578b80106df70fb096f8651ab

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksolog.dll

MD5 0a684b21acb673e7e7e4f62a12698458
SHA1 01d1240b399bf556abf8f8f50f7d94447013d063
SHA256 3bdce9ad8bbf953217a8f5968deb12a056e04f351029d3a6288cf4d31e4c5302
SHA512 d049f53cef514c1ea5513fbd5174a7019d1e9f058ccc9d246ff1d1fd93a2bb577978c38ffa798a0ed3bb395556daf850c7be0784755c0236ddb0d5cc9e1fbc28

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\qt.conf

MD5 351fdc16f8e5ec3105aeb289397a06bc
SHA1 115bcf3e66703597ef4fb42acbdf3be37fff221b
SHA256 b54bcf83fa006bf38dc845507e31dd5ae559ed68d45acc12ae1561142661a7d8
SHA512 4cb802df20b51b5bac7ac78f983c191c9c81541204b7ee30683ff55f65694926d144b8003cc504e9c8f16da92ef5d17d5d904050e7915a6615f7c62abec38cae

memory/384-4096-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

MD5 399414494af9d9062c1f5d8a2cdfd373
SHA1 6d5e24562fb818c83ffd6940d1f2c0797b67876f
SHA256 d6722ffe62a6c0c635975a38b5a2cf593390e9ee52c72b1f778c2f5b49a1eb60
SHA512 3285e12bfcb320fe0d3221812d10141f50d9e9d29b198008b43d8926f8b92262f854943246eac5bf046c878c1ff1166d1ef3c2f917844ba4cd34ec4625e1ee5a

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_05_09.log

MD5 62404aed048868eee59f381e0cc79d2b
SHA1 46dbf3c3702e9b74bc1b08df718c0fe408627954
SHA256 a39f88af5062eed055e7768751488bd6816445ba52bdc0a91f0c5f1c72222057
SHA512 b6ade01415ba6d743a582a0d19f22195208eaf5e979b3b948011b6ce21ad124b55be3cf705134c33dd06bb9bfb44e331bd6cf4442be1d3d9e9e808acdcc34a3f

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

MD5 144c48713c3dcf8961602bc008bc0fa3
SHA1 47fe6c8e5d35cda6092d2aa1ca119b3b097858e2
SHA256 9ab28c6f66d8900a2f3b3d78c0f1ea6cc1abd55e86c17422c0632997800ac846
SHA512 0209e683ca66750e9ba44e47da08a67017bf460e669e7d36998e5504ab8114c8004760457a503c447eb890a0e05fc82cc69b713cab4062a815176be3fb3721a8

memory/3160-4176-0x000000006E3C0000-0x000000006E3D0000-memory.dmp

memory/3160-4177-0x000000006E450000-0x000000006E460000-memory.dmp

memory/2156-4179-0x00007FF916040000-0x00007FF916050000-memory.dmp

memory/2156-4178-0x00007FF915FA0000-0x00007FF915FB0000-memory.dmp

memory/4264-4186-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/4264-4190-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\cfgs\oem.ini

MD5 223673e5e8d77083765b70ddf7a0f7f6
SHA1 3b5c4d6304ed6ada0ec607f44a2aace24ec16126
SHA256 9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82
SHA512 62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52

memory/2940-4326-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/4168-4345-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/2940-4344-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

MD5 eb93ca3c82bb7c25f3d1ad74a07c3b8d
SHA1 7303ff6e6a370e8e0489dc70866d822401b1986e
SHA256 9325a53f21fcd756f900dec2b64bf44ab08d632d1306c75cdf351f0e701f146e
SHA512 514de2f01e3a92e98b6241c0551d6f7f4cd771a635b43383c02bcfc6b952f31324b422b909f6994669faf9984e48d7d016c1e997aa76e430c2d7171b29139631

memory/4168-4350-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/3616-4434-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/3764-4436-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/3616-4433-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/3764-4435-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZMD972MW1DM6Q8DKLU3T.temp

MD5 65580603822fe29abf3029cd09f2196e
SHA1 2a7bfd261c68b2065a9339fd42a0a4d17f3ace64
SHA256 47b607cfaa6fb013424c62baf5a2d12a72265226da5bbd50498ebcdf3ff13b05
SHA512 6e634fff02e01542e60768e0cab4668ffae960edb885860162d12195c56bdda896e0d886937cbb749c2ee505f7259f5ccc71ce883b64286f9c7f9b15a430e385

memory/4448-4539-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/4448-4540-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/4916-4556-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/4916-4555-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/3396-4573-0x000000006E450000-0x000000006E460000-memory.dmp

memory/1792-4575-0x00007FF916040000-0x00007FF916050000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

MD5 4575dafa42048d7d0cbf2607be66036a
SHA1 31614b05ee0a24626fca02d95c0f39716d3f267e
SHA256 0801c8b80a4f94fb3659e57fa10c601ce6b98ebbaf33e9928c27dcba4b321803
SHA512 f48dd6ce186136577ed42bf16ad1265c04ba39de1d03b4c8b8166e7b644bc467aece4a351f4a440ba8b920ac9b384e533b9f696b2ad26ecb8b06f75a5ef29631

memory/3116-4668-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/4936-4670-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/648-4687-0x0000000072A60000-0x0000000072D4A000-memory.dmp

memory/648-4691-0x0000000072480000-0x00000000724EF000-memory.dmp

memory/648-4690-0x00000000724F0000-0x0000000072961000-memory.dmp

memory/648-4689-0x0000000072970000-0x00000000729CE000-memory.dmp

memory/648-4688-0x00000000729D0000-0x0000000072A51000-memory.dmp

memory/648-4686-0x0000000072D50000-0x0000000072E6F000-memory.dmp

memory/648-4698-0x0000000071790000-0x000000007179F000-memory.dmp

memory/648-4694-0x0000000071F70000-0x0000000072473000-memory.dmp

memory/648-4697-0x00000000717A0000-0x00000000717AA000-memory.dmp

memory/648-4696-0x00000000717B0000-0x00000000717D3000-memory.dmp

memory/4936-4685-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/648-4695-0x0000000071850000-0x0000000071999000-memory.dmp

memory/648-4692-0x0000000071A10000-0x0000000071F67000-memory.dmp

memory/648-4693-0x00000000719F0000-0x0000000071A04000-memory.dmp

memory/3116-4704-0x00000000722D0000-0x0000000072E7F000-memory.dmp

memory/2404-4706-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/2404-4705-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/2404-4716-0x0000000062310000-0x0000000063EC5000-memory.dmp

memory/3280-4719-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/2020-4726-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/3948-4731-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/3948-4730-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/4592-4755-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/3280-4729-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/3948-4732-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/4592-4756-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/4592-4754-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

memory/2020-4746-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\plgpack.plgx

MD5 ac0da90737a20a2a73b5df5ac2619c6e
SHA1 19c4382092fda4bc03398a36f9f498f09a67033a
SHA256 365a590c88cbf825e84b51f398007f05c5e8397e3903950f9860d04067b2ce9c
SHA512 ef8a4b387912b879adf5ad4aef9259ae2b67c2dd62a1c8268cff0b1577e330113e16f55de0a23f3b61add3283c41d131703c0472d3828b0e0a0619d268f524d2

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kvipupgradepage_xa_1.1.2024.1\download.7z

MD5 d791a4c5021c3934aa216b9bf5b447d0
SHA1 f954fe837a9fda1f8172280beb2fe9b578a71a51
SHA256 1af1948f4c1f6f753b3a920a787552a072d88c060b7fd3a834343f0dc9f2fbfe
SHA512 32b91c12d8922ab3dbb9735770e8533c3de84c9562c3725606d42d50b3acb97891eb65660c7bdd36684c7fabca07e054aa8b4b667b6f701213e33f08a187bdf2

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\res\static\js\manifest.js

MD5 af5a4ff62384fe67791d8cde9176ac0d
SHA1 cf5aa9528fe795b75a569352466ad944652185c8
SHA256 5d1122539ce1ae98804e216cbfcada9f2603fe4f86454b2b29e7d7448da97891
SHA512 f78a72b7ba06b257fec3a97bb62d20f7562212e995d62438bfe3d8181fe7f56c3e14194e9203e64b0e259a7cbdd900125f5f185bc8d736c881f8ca0e2920273d

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\res\index.html

MD5 66bbeb8733bee0c788685880cc46acc5
SHA1 07d104aa23fd4ad765095ea771667e1440ac6bca
SHA256 faf96f1472b09c6eed78da690151b5b57133733e2f562dc6678602746a79342b
SHA512 2d919a92b2c425d0f08d609fd825de151c5ce54cd31d83405054fa84194c85568ba512af4f1b38136c12152764ae0ae34441f36b4f23ed5ae74438502b0d1558

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpsoffice\plugin.plg

MD5 90abe12bca7b280b363c545b461831bb
SHA1 422660560fdc23c93b3206bd863996d4d552c9a0
SHA256 1dfe4c8aa454ad5ca6d96b32db5a886458acc95b1c693c8faede4ab229e17965
SHA512 469de76962db937062edad100c225d5352d730f3df34549eb4835bbaff1a1e14019658a4d93fc9a1d2a85157e6b83b3007b956d71f5f8c930525b4165de92509

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\download.7z

MD5 ded028d22792f4a299acbd2d410e5f0d
SHA1 940944738e557237c0099117c635da874cf78263
SHA256 20d84711493557b73f42b31171cc6840a8079248209768ddc75d10da46ab6bc4
SHA512 28ff645f3e78ca9a88cbdaeebb47504178385627d1fbdf68b099901e8db3afc470251413a453c82e7633c232a7c4400789819213fe79e7e3518791775f8d54a9

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\mui\fr_FR\kdiagnostictool.qm

MD5 62f3720e184f094c874fe0eab7f0f598
SHA1 cdd858a80bbd1268e7c5278ebe19c35659871d2b
SHA256 bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14
SHA512 14f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\mui\es_MX\kdiagnostictool.qm

MD5 5afc7d8ba894df59c2b3f44726cfc2db
SHA1 a21a7a8fd943455fa47cc5d950603bf1bc5a145a
SHA256 4824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be
SHA512 a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\download.7z

MD5 422a47b49c81c94a1f10078e376096da
SHA1 b2454a1d09f83138c903d9502c32124d6360904d
SHA256 9b9eb4c2cec67ed2aa307ed978701ddc86f0b63ab63fdf9b3430a91237a5f59c
SHA512 2803ae66ca2a6b2e4a4881a1266c02048d8d4a86a9ffcd01696b4463d3a18846261877933fa4cff503ca984d59976effde7de0db830b96fa4267c4d41ebcfdab

memory/3116-4831-0x000000006BBB0000-0x000000006EBD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.136\run.ini

MD5 da4b75c3d70c08be415e7b25abdc11cf
SHA1 c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225
SHA256 e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36
SHA512 0fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.136\download.7z

MD5 31bdb9137432706b904e8dfcdccde030
SHA1 d26fd902b9bc1048731983854ac605e894075130
SHA256 af28e7d61a9b2467a78098341ca188626a90acfa0df4b8f81587d1c35f89a55a
SHA512 119341029755a087f45a32d3d94dc320fbbc7f599ba9ab20dad4479e1a08d24eb7799cdefcb47051ba835e7fe2c220e4e153a3d660b9a22e2a56cf82910e0280

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.9\mui\default\icons_svg.data

MD5 cfab0f157385566514db45630505743e
SHA1 22fd33d784d7e92ecde36c0bac58c7b0efa6bf01
SHA256 80a03cc09cb0de9a155f9cff1f85b8f10dfdb89759944380da08ade1de6b9e7a
SHA512 0b5ce5bf919f8ad1f86d80412453ba578d240aaf817bab95e7cca50e9c094b40d6ade25ca33c5fe8b86fe74617a1944730bcf1e969e007966acf11d431d03a7f

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.9\download.7z

MD5 820d0d38598cc67166dc5916e50843ae
SHA1 bb5b07d1b80bcd21b48da146e9c910ef778293d8
SHA256 7262c3145aa2940abe1b2f5bb2a3f20147dcfa8e6ee9fed3b001ef51a784ba82
SHA512 599502b8285068af17647a843d38698a0f5469231da1d303996afda18200bc90538a7d91b0e7261917acaa00b2367f1471895dd851ac9052bebbf71e131d625b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\krpt_1.0.0.107\download.7z

MD5 0edafbd62638a75ae8b4debc9fd0b3db
SHA1 814e953384ee2771bfcde0584b0f6f5691217ede
SHA256 3332953a07daf624094590bc8d2bf9d4ff1ec12c53a43a7310efa11c7cfb71e8
SHA512 ab42c6b7922f7137779417bdb5246ff660133f8d566a54fd067ecf787d27ffaee1d65704a4b9574a6fffede9b497b93638f558ff2689d375017d5b074ec88120

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.193\download.7z

MD5 3b91ab7795510566a0cb254022445a1b
SHA1 2894a929aaa08aafc6bc74278a1511cec2204223
SHA256 223f4d92777f385e8ac9f8055ce1362bbbcfa525e36933605481abfdf8f48c79
SHA512 53ac22c66f8883781d2904ddbc40d72fcbe9bfa586b5f4e1c083dc7ea45076ad1d2bfa9de2ce5e04b3c8bc9770f633249103761d7874e56662644d07cd502db2

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.3\download.7z

MD5 54079bd7a79b895706cb6ad73cc4c627
SHA1 45068e27f84dcd16044f4628a020629d0360d8b7
SHA256 355d005cf859c66b298bf475fd646c67ba5fc952c9f670f1b964714b24f197df
SHA512 94d65c7336e0e8597a83c633dd734157ed17d03f9317b9857141724af6b5948c20f82180b4127dfac6da3dadbb4d8aea7ecf5d23d92e87ed719a480a5b1a6c68

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.3\run.ini

MD5 ad3a68e7d8c8bf2470282567d8ca7ded
SHA1 addb5ab04165b4743ffb985918c08ba0a76a6eae
SHA256 27e743bc78f9a2862d822fc171789160905ee26545466f93052f8565aebd523f
SHA512 c8e4b63fb79c365cb48a0ee0c4351f6f94da9ba8ce62f0b14d8ed45726ebaa478f581efb37e254e75e1c561f5ffa1d8985e867957c68c04b8eaaa2945e838505

memory/6084-5064-0x000000006F0F0000-0x000000006FA46000-memory.dmp

memory/5408-5103-0x000000006F0F0000-0x000000006FA46000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\download.7z

MD5 87eddda6cfc1c6e1c86e1b3b371f369d
SHA1 7910a432cc964bc1e1be51e0cef2e986cf54eec2
SHA256 4cdfc143513060130052f306c0a7cb93731967dabbbfa22cf892518bfb0a6d5f
SHA512 c7bd1162cd851672e9f5ed21e8fb88d734232360be0433e98a82a9f04a4f35e2f59ced11716244f3f30ca021eebe111ef9b6e7df5eaa1c356ddc75f99445cdc8

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\pdfwspvreg.dll

MD5 ccd17aaa7644b6979f661e7c72fa077d
SHA1 9cfb25754ac4a4ed487ce6c4655ccc78b5aef975
SHA256 b5245881da869ea02155d4052eda1390339c87496da055f85c3985a912e0401e
SHA512 2199d618af0d3fc948f4c39700cc8cefa07ed75db29ec348c71c013678a9ec3befcdcc5c3cb1d804abca5df4c3e6aec10caddb29188f28fc27313d6609dc2a49

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\run.ini

MD5 0d914e316c8fc542e5685b1598899979
SHA1 52e575fc0c66b60cd79d29ae4486944cf06995b0
SHA256 484e6146403c96eaeead06a97a8ed86d67334a9185bf009a44f7b1cbe5402e2a
SHA512 77ca461895bc65f31dd8fc5182dbed383804b4d3315e210bf65195776510bf9c09c11d87589796ec1bd272f67762e5ba28be4d64b8a58f2577cb6da79dbd7319

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsbox_1.1.2020.213\download.7z

MD5 f3ff3c47ae68b0e6234b72d354ac191b
SHA1 26c380b44ad61b258a6de56c75c7f568d8c0f876
SHA256 cbac9ef94e6c6dd11019653c64bec6a3e6970779604555f5f77974258c214333
SHA512 43f892f5172b03e4e7d8f3f3632012ca62a7cb104f26d7d746005abf94472eeff881087c1ca73483f1079f21befe321af7372c6e17b26bd77f8fd9a03935ed95

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\download.7z

MD5 3303884fbf771d8e3dd645bbc8bd76cc
SHA1 cef8fe59d3161645cec87eae5d8d426604e4f2a2
SHA256 77756cc9c3fa51ec2bd20a39f9c3ffabfb152ac4dd285bf8befae228971f7cf1
SHA512 053abe0567cf8e99c49b9bf3395dd5e8db1c360dd4805c516c9c97ebe0532b0a9090e6fc2f41fbaa910fae21e594d2850729dd527b72dfbbceb53e479f874b62

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\pdfwspv.dll

MD5 4c6221b526433ba802635e2fa0d53ff2
SHA1 059bf2b126ee3b901b7a9dee8b53c7e648cc5ebf
SHA256 300994947e4af25ddcea546e285f9d35131e7efa0070d9855d873646d4a73177
SHA512 b1bdfd321ca6b788948383902b9f317bb46a8abfffc4fda29bfd51381f96be9af35274ff7d62c761fb83b09a05e2bb179df6817fc631e67a315787b86f4b31f0

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\photo\plugin.plg

MD5 4f1d6ac2c1e920761c52a2d9c0a872e6
SHA1 86c6daaa12c5b36dcbc333fd7f5cb0be7c7c936b
SHA256 6326a5629d8be738d11ec54e5127a32a06d989d62a72afe9546a665a81c04379
SHA512 94da0cd58e660fb1caa1854ff70035b447eb6a24c2887eaf729b19c7d207abf1005adbefb4d0503aa0d4217f2b709e183e7d425e115da681d2fdc9cc0cc52a6c

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpsbox\plugin.plg

MD5 2590ea571c92102a87bfdd67ea4c2198
SHA1 05cac266ea786c20b033d2d4e47bd52b44743868
SHA256 497d08eb919b25ec696d8cedeb37dd70438e963a3876eddbce65a5c3d6b38d16
SHA512 ab877c22d0f48f4a06f05fc7cec9717cc992d5619c97809e0462640b0e60c1c49e19f2a897fbd0964cff175008ee9d11ae02c820b2a9bde68e03a8250d8fe540

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wps\plugin.plg

MD5 aa556ae2a76725f3ef5655f16ab478f8
SHA1 0dde21b78e390181d3233d74946913703f336dcf
SHA256 854794ca8530d34479cb8205f16749006ae285c7d2dfcb2cdf98b41a880122eb
SHA512 8a6127af209b1590761928bb9043eb7975588ffbf2ab4c5b1ed5a3c4e6fd71c266460f661636af8f0e4de3bf5094985d3b8dca061f940d296a61403cff716afe

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpp\plugin.plg

MD5 02608cde8b78360e28afaeea1d19fc68
SHA1 bf726db0557421384fc8471e736b1ae77606f58b
SHA256 c76636ad3595186c5ed8b2720ba266b5d4ce7d4914de5f47ce7e8e55a0d00502
SHA512 3712c4f450ecf188f0460cae48ed191897d61390d3c46c1b834cafba8ae5102aeba6252f473af6cee2eff3c28f790c9030a4bfa3832379e56edee29a943e117e

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\qing\plugin.plg

MD5 1ff60a068f44142fa3224b08b945678c
SHA1 42e2a481ab3443a2b69bc95dd36777f45f2ebbf2
SHA256 f3a2fff28be165f85dccdb23ff7d5b252d4498dcfa2db604cec8481dffe799e0
SHA512 6082e3b8b9fdcb3ec83cc9aa16b7fcbd320dd18116f3bdce948de50d8504a824a33490472e418ab165dcb2b61bcd030dd5a8cc92ac79decd199ca78288914315

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\pdf2word\plugin.plg

MD5 1d0fd57efa2cd6d7db0078b3cb6fa54d
SHA1 3da7bfb85e030fb1e137a3fc006b5e630e3cf594
SHA256 3cb7b3a5d576b96f4cec9a0168570f494b77336a55c9123ea1deb7986ca8aa2f
SHA512 5633d8e1a1e60c213ebd804c5292d635119dc044b2adff91805011d4bfcf1da5ae962544684ad96eeed3a8a31a82d3ee00c026a5f0abb65e8711a7d1e2aac767

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\pdf\plugin.plg

MD5 0610281e36fec15f6d9c5b757a6fd2c5
SHA1 09eda1eb8d6f95f8ba607f02f1af227bfed887bc
SHA256 365d5ec6366728883fa4509e7b937ae0a575174f0924aa041c80562dc9bbe65e
SHA512 bec747070281958f0e261dd9add3e2bc90df23bc7792249bde1f7d7d52dfb1c481719ffd3fc5a0acc75b4d20edc1059064afda71aa135aab7ebe1ec4c4f17dfc

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\kappframework\plugin.plg

MD5 773c95535f7eb6a316b5ad63a15a2449
SHA1 7fb34309f5f5bf1fb769370f5bde00091e6520ac
SHA256 ef7a43d0cf98859a7418b8b2f65ee1a140dfbd608fa39d714786c64968d214af
SHA512 7137edccff0eebeb8196a3e5cf94c69d821a1bd566fa8b0649bcff17a12fa013212e609dca9b05346142e91b427825d3657489928a1affd46e046c4d77a5454b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\et\plugin.plg

MD5 1c97e9eb8c02d24e794c4826339cde61
SHA1 419d0e62b0828b9f45d4589abf6c7938d8c4618f
SHA256 71f5db321dbf23853ceff4aaf2139987da07617774353e405b0b3532b6623c9a
SHA512 ed95918d92c95b1c41368f0c77d4662ab4c1f3139d9ed6ea689660530fdaa506bb81920cd02ea16768c902b8965f70255bad0a5006cf08e2761a35d6fa7c3af6

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\premiumcode\element-icons.woff

MD5 535877f50039c0cb49a6196a5b7517cd
SHA1 0000c4e27d38f9f8bbe4e58b5ce2477e589507a7
SHA256 ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17
SHA512 da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\vippayment\assist\base64.js

MD5 12477cb6bc99f90086f05e54ea7dcbe8
SHA1 4009eefda873514a6579830888d5f12c50d7b3de
SHA256 6520eca957e8a4d7e68e0dfe17f1cea9d42c6378962f454e7a911ff32e5e6248
SHA512 a7a16f935d71f60bb382622ff781a3cef234865efbaef62ee268163a416bdd9ea285f33c843fb729cf8b8eb6d18a81de5311b01d19b48c998b08d79f29e59d13

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\vippayment\main\img\loading.svg

MD5 544223e85768fd134633a1af9d5bf536
SHA1 5536a0023ddbfb2ab67e9ad8ca4d38c60f413b9a
SHA256 a3df9710c7e09fd8cffc14bfe45f5a1576deb1846ced44e5050b34caf5527049
SHA512 a5cacba054d41af8efd607074c02f36ab731b5d6bc9ffd3bd7ce6b09a4af09b31e29359eb965728d2a00849467b1af66e16186a0c07b4415b3b423a5ea4f68ca

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\resource\premiumcode\element-icons.ttf

MD5 732389ded34cb9c52dd88271f1345af9
SHA1 8058fc55ef8432832d0b3033680c73702562de0f
SHA256 a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2
SHA512 e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.1\download.7z

MD5 b940bcdf5973099a51bfe448a9ead54a
SHA1 4c1b47814c8620283b372d476d264209051c9e44
SHA256 76b12ee03d41b2957ba52a0c7a64de8022c048ad9eadb13b4c99ff08955ce085
SHA512 dc900f0a694d09e2d0cecb0082105df9e9dcd7f7cb0564db5983d8c4977f7f9323ea6dd565665ccaafb60b5b448c38f2c45ef64af4dfa55a051a263623ccd295

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Network\TransportSecurity~RFe59c5c7.TMP

MD5 d3a56b7bd2241a2e3a58b74789ebb640
SHA1 482035af8f7766377b0bb6411d87156fe1351a0e
SHA256 a0e3ebd45f454b0f8f362981f13e8a77aea93b191fccd178152f58b064420045
SHA512 0fb27a0847ea7f8c8907adcb9ad1f1d97a72929305ee25e2949f711b0f734d24e776c7c57d2362bec6b80d21611a206177ad2a831595ebe1143e95386f6f1076

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Network\TransportSecurity

MD5 d0ef7ce1511575feb5c6cf37d636a088
SHA1 8f3e0acd9f66253936ed5c3e56db1fae9f5b5f7b
SHA256 6de2e7fca8697200d5f910d5e4f55b82524e4c765a896e1b3d007b1e4aca6e7a
SHA512 38ed0be5a07d1027626f128573003991888a8fa42a3faac19fbdbcaed3956ceeaff80d0bec01ca8e2655cd2790ae0c7916197540ec19568cbc6ced4dc7a828a1

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Code Cache\js\index-dir\the-real-index~RFe59ec4a.TMP

MD5 53b71d3759dd67870eb79c8a6589a9a0
SHA1 142b31d1bfb89c400fa2492ed131a20ac96d25ed
SHA256 6f3123bc332493450b0ab3fb2ee4eebdb63dac903ccd54cfcea47aeb1fc7bd72
SHA512 398806998bd6143ad08345681dcf3150ebbf8a5b2dfa6537b125bfef8879d56e94dac85e44c7243c1432711435be4bb456f2a6b5e1099a339e09c6a070da4550

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Code Cache\js\index-dir\the-real-index

MD5 c80a4faa724df6dfac1b918455954187
SHA1 33173ad4bd5c74605038f6394e1c729905761009
SHA256 cf855179975b1f79979d9ac66a2c7fbbc5c4ee77e695933c401d8751c76408a4
SHA512 b2e51dd1e0d9eeb6ca8e30339c43b15b27b5210907b6daa716e3ed46fc73e82343e5afaf71e95800fd8577336beb7f8df24e396124016f0ce67712041f1a0c11