Malware Analysis Report

2024-10-18 22:06

Sample ID 240611-pgdnlsxbjn
Target 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
SHA256 317debaf5cd447549e448e6b929b3e2ea5ae54864b35dbb18833e7a87e6a1636
Tags
bootkit discovery evasion persistence spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

317debaf5cd447549e448e6b929b3e2ea5ae54864b35dbb18833e7a87e6a1636

Threat Level: Shows suspicious behavior

The file 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery evasion persistence spyware stealer trojan

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Checks computer location settings

Registers COM server for autorun

Modifies system executable filetype association

Executes dropped EXE

Checks installed software on the system

Drops file in Program Files directory

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:17

Reported

2024-06-11 12:33

Platform

win7-20240221-en

Max time kernel

53s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700070002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\ C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\kwpsmenushellext64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wpp.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\refedit.dll" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Preview" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\WPP.POTM.6\shell\print\ = "&Print" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{F1B14F40-5C32-4C8C-B5B2-DE537BB6B89D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{65E515D5-F50B-4951-8F38-FA6AC8707387}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{799A6814-EA41-11D3-87CC-00105AA31A34}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934DE-5A91-11CF-8700-00AA0060263B} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00024499-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.arw\OpenWithProgids\WPS.PIC.arw C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\MiscStatus C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209A2-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{4DACC469-630B-457E-9C8F-08158D57FC7C}\ = "FullSeriesCollection" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{BA72E551-4FF5-48F4-8215-5505F990966F}\ = "SectionProperties" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020990-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020875-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024423-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sldm\OpenWithProgids\WPP.SLDM.6 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209A7-0000-0000-C000-000000000046}\ = "Zooms" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{3E061A7E-67AD-4EAA-BC1E-55057D5E596F}\ = "OMathMat" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{CDDE3804-2064-11CF-867F-00AA005FF34A}\ = "_dispReferences_Events" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C03F1-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C0362-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C037B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00020950-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024470-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000C172C-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C037E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000244BC-0000-0000-C000-000000000046}\ = "SparkVerticalAxis" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000C1711-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\ = "XMLSchemaReference" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024424-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{0002092C-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.SecDocument.9\CLSID\ = "{00020906-0000-4b30-A977-D214852036FF}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{99755F80-FE96-4F7D-B636-B8E800E54F44} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{E598E358-2852-42D4-8775-160BD91B7244}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00024480-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000244BF-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KMSO2PdfPlugins.Component C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C03C7-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.SLK\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,23" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\SystemFileAssociations\.xlsm\TypeOverlay = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,3" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000208D6-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000208C4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000244E8-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{0002E11A-0000-0000-C000-000000000046}\TypeLib\Version = "5.3" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{0002094A-0000-0000-C000-000000000046}\ = "Cells" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{0002096F-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.Addin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,21" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{2503B6EE-0889-44DF-B920-6D6F9659DEA3} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020999-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024423-0000-0000-C000-000000000046}\ = "CustomView" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.Document.9\ = "WPS Writer Document" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024478-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00020866-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\WPS.Dotm.6\ = "Microsoft Word 2007 Macro-Enabled Template" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.Xlt.6 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209B0-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.Document.12\shell\edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps \"%1\"" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{BF043168-F4DE-4E7C-B206-741A8B3EF71A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2796 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2796 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2796 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 1824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2796 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2796 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2796 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2796 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2120 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2120 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2120 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2120 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 1824 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 1824 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 1824 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 1824 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2520 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2120 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2284 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2284 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2284 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2284 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2284 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2284 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2284 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2120 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe

"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"

C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe

"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe" -downpower -msgwndname=wpssetup_message_F763208 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f762f79\

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_F76896B -forceperusermode

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_F769695

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 5

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2520 /prv

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"

C:\Windows\system32\regsvr32.exe

/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" /from:setup

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" -createtask

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\html2pdf\html2pdf.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\\office6\ksomisc.exe" -defragment

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=autostart_after_install

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -getonlineparam -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -getabtest -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2248 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2600 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:8

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2900 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3020 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2244 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.123/kdocreminder.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.123/kdocreminder.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/photoforceasso_xa_1.0.0.1/photoforceasso_xa.dll -EntryPoint=EntryPoint

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -assopic -type=silent .pcx|.tga|.wdp|.wap|.wbm|.wbmp|.pbm|.ppm|.pgm|.ras|.xbm|.xpm|.arw|.cr2|.cr3|.crw|.nef|.orf|.pef|.raf|.dng|.heic|.mrw|.rw2|.x3f|.psd|.psb|.ai|.emf|.ico

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run /InstanceId=wpsdesktop -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kwpsbubble_1.0.2023.32/kwpsbubble_xa.dll

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1064 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1572 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:8

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=776 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1868 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe

"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1388 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:2

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3168 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3288 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" /from:ksoend /source:ksoend

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.wps.com udp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
US 8.8.8.8:53 params.wps.com udp
FR 90.84.175.86:443 params.wps.com tcp
US 8.8.8.8:53 abtest-api.wps.com udp
FR 90.84.175.86:443 abtest-api.wps.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 8.8.8.8:53 dyn.kingsoftstore.com udp
US 52.32.145.13:443 dyn.kingsoftstore.com tcp
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 8.8.8.8:53 dyn.kingsoftstore.com udp
US 44.231.200.92:443 dyn.kingsoftstore.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 8.8.8.8:53 cloud.wpscdn.com udp
IT 18.65.82.2:443 cloud.wpscdn.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
IT 18.65.82.2:443 cloud.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 ai.wps.com udp
FR 90.84.175.86:443 ai.wps.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 api-ad-adapter.wps.com udp
FR 90.84.189.232:443 api-ad-adapter.wps.com tcp
FR 90.84.189.232:443 api-ad-adapter.wps.com tcp
US 8.8.8.8:53 abroadad.cache.wpscdn.com udp
IT 18.65.64.73:443 abroadad.cache.wpscdn.com tcp
IT 18.65.64.73:443 abroadad.cache.wpscdn.com tcp
IT 18.65.64.73:443 abroadad.cache.wpscdn.com tcp
IT 18.65.64.73:443 abroadad.cache.wpscdn.com tcp
IT 18.65.64.73:443 abroadad.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
FR 90.84.175.86:443 ai.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
FR 90.84.175.86:443 ai.wps.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.84.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 ovs-activity.wps.com udp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.8.8:53 d19a1mtic3m6gl.cloudfront.net udp
IT 18.65.64.50:443 d19a1mtic3m6gl.cloudfront.net tcp
IT 18.65.64.50:443 d19a1mtic3m6gl.cloudfront.net tcp
IT 18.65.64.50:443 d19a1mtic3m6gl.cloudfront.net tcp
IT 18.65.64.50:443 d19a1mtic3m6gl.cloudfront.net tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 firebase.googleapis.com udp
US 8.8.8.8:53 d19a1mtic3m6gl.cloudfront.net udp
IT 18.65.64.128:443 d19a1mtic3m6gl.cloudfront.net tcp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 216.239.32.181:443 analytics.google.com tcp
US 216.239.32.181:443 analytics.google.com tcp
BE 74.125.71.156:443 stats.g.doubleclick.net tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 216.239.36.181:443 analytics.google.com udp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.4.4:443 dns.google tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 update.kingsoftstore.com udp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 54.69.147.146:443 update.kingsoftstore.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
FR 90.84.175.86:443 ovs-activity.wps.com tcp
US 104.16.84.69:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\pl_PL\style.xml

MD5 034f37e6536c1430d55f64168b7e9f05
SHA1 dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA512 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 399d2ed883dd737e480b5c434d2ca1d1
SHA1 a3c7df390ec8ef93a84ced4ba7216735a696be70
SHA256 11b504e8eef38b1ebeb9e626d3bebb8fc5ff53e325685d628941523340b35271
SHA512 574d8a3230821d0852a89832fdfba9d1fc777df40aa10c483a31a8cac2a36cf356ba54fee27e27b097c31c8758b0f32863d8b4f6b0147403d286d0c3f84c119e

memory/2796-182-0x0000000000190000-0x0000000000192000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 ac77f5be67533f8b44d788204583d224
SHA1 9dfb1713d8df8b3f727dc9e8ef5c4be0a491a9b7
SHA256 d58cb20d298399f4772ff4058924beb21775349f8866534b772be2fdde336b00
SHA512 7ad98ce00761cd577379487857b22f897296f337848828a1b77c9812288bfbecf0d5783f17d60ee222e291943902887bce0b8ad604b7a699597b36f88ea5dbbf

C:\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\product.dat

MD5 275e4919bf12383eeaae2e35f1aedca2
SHA1 d63a89631852f77f4de039ee5ffd8b46b10e044c
SHA256 d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072
SHA512 b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 6a5eea749583001de63b993fc66496ba
SHA1 fd41691ec4751e85be89917d46454f8533800b4e
SHA256 bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA512 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 e96c7039d75eb9f9eff0555613851daf
SHA1 bdcd9e2eed7de2d7c98bd9a28e3cf00f864a7899
SHA256 c761c92e278e64a044f744bd4f25add4a66fd1bbf0e39c03da22397f4467173c
SHA512 d541d832b65ecf4a63bbd2aff5cb91944241c9637b9f2d2210a5a141a0054536876ccf1a884924e12cec832dd2af7330374cd118157f758274bdac353d8eadd9

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 5e1b68b67986b1588301c0135f19fc7c
SHA1 957ea47285f7d903cce7530ee34852435de5b5b4
SHA256 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

MD5 21519f4d5f1fea53532a0b152910ef8b
SHA1 7833ac2c20263c8be42f67151f9234eb8e4a5515
SHA256 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA512 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

MD5 b5c8334a10b191031769d5de01df9459
SHA1 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA256 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA512 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

MD5 cd3cec3d65ae62fdf044f720245f29c0
SHA1 c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512 aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

MD5 86421619dad87870e5f3cc0beb1f7963
SHA1 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA256 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512 dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

MD5 b181124928d8eb7b6caa0c2c759155cb
SHA1 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA256 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA512 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\kpacketui.dll

MD5 24c1c69547498300c8a9fef3d49d1f5b
SHA1 54adfe188efa56fc52438513692c1306f2f23e52
SHA256 c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8
SHA512 7693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 523c6a8629b886557c7fe84bbc1786a5
SHA1 0dc9d1fde374d9d5f36f78301d2ceed757ab442e
SHA256 1f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854
SHA512 bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5GuiKso.dll

MD5 0849984cff99db55aba5d085efba5d0e
SHA1 802cdd8163ba992b206c0331b4fb4644bd7ff562
SHA256 e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875
SHA512 cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5CoreKso.dll

MD5 677bc25f723c163aeb9408490bb6b782
SHA1 98f6ca86cd39c974083e4db1b0e193260cf46830
SHA256 87602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb
SHA512 eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\msvcp140.dll

MD5 5fd0772c30a923159055e87395f96d86
SHA1 4a20f687c84eb327e3cb7a4a60fe597666607cf3
SHA256 02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d
SHA512 132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

MD5 4f06da894ea013a5e18b8b84a9836d5a
SHA1 40cf36e07b738aa8bba58bc5587643326ff412a9
SHA256 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA512 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\vcruntime140.dll

MD5 e51018e4985943c51ff91471f8906504
SHA1 5899aaccdb692dbdffdaa35436c47d17c130cfd0
SHA256 ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d
SHA512 2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

MD5 50b721a0c945abe3edca6bcee2a70c6c
SHA1 f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256 db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512 ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

MD5 88f89d0f2bd5748ed1af75889e715e6a
SHA1 8ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA256 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA512 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA1 5516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512 a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5765103e1f5412c43295bd752ccaea03
SHA1 6913bf1624599e55680a0292e22c89cab559db81
SHA256 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA512 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

MD5 f364190706414020c02cf4d531e0229d
SHA1 5899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256 a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512 a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

MD5 a6a9dfb31be2510f6dbfedd476c6d15a
SHA1 cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512 b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

MD5 d0b6a2caec62f5477e4e36b991563041
SHA1 8396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256 fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA512 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

MD5 0979785e3ef8137cdd47c797adcb96e3
SHA1 4051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256 d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512 e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

MD5 461d5af3277efb5f000b9df826581b80
SHA1 935b00c88c2065f98746e2b4353d4369216f1812
SHA256 f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

MD5 3dfb82541979a23a9deb5fd4dcfb6b22
SHA1 5da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA256 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512 f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5SvgKso.dll

MD5 e654635510b1aa9482796b2e543b6f9f
SHA1 d3e85dc5709ff4013c9904eec579cc268bcc843b
SHA256 8443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9
SHA512 3b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5WidgetsKso.dll

MD5 5545333769aa479ed5e4f23f40fccd99
SHA1 c216b59399217290e9f579c1521f0b724d24bf0b
SHA256 a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a
SHA512 e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 07e26db5ff3902a3f6aa4804d030982d
SHA1 dfcd419b7d1f52d55f679316110e77c66bf2d289
SHA256 0d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9
SHA512 d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 b6753bec77430c645682c3b705b6cc13
SHA1 ac523c5a8ba93cdcccb626b359cbb061d45528ec
SHA256 cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f
SHA512 f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 daecfd1742dfdb76c6a5663c8b3577c5
SHA1 4857af5fc2c4b780b325682210873748448d9e76
SHA256 550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294
SHA512 97848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c

\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 c86cfa96b6bc8d403cc27fe4bb901394
SHA1 c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9
SHA256 ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1
SHA512 19ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 0d26445f495aa8fa75cc04e5a33b02fa
SHA1 b80a07cb5f9917f7c58dc234b7600ce601082fa5
SHA256 0a05798b4fab7472645fa34a60cc7410c93e3235417a55fc9275749882e74a16
SHA512 d6d3526b1e3d02d566e445dd4e78717fbf389b694ce4f8ccfc6c87efeee5db4ba34d059e2eb735e5ab78bf65afadb82a60518282f708b575e17f208276dfbdb0

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 3740e74f736e1312b3d74819cdfac1c1
SHA1 751a4c3473f48216a592f8054500684a89e55828
SHA256 8b91bf4a8a0d040ceee5be9330e98b414c86efa65ecb2c55f433f07f3aedee22
SHA512 7c7f1147a615d3e6b6c2e60a1367b209b56337b597a1f27c4ae8075aadea15b6352db378f10f73dfaa01720edeeaf528509dc6073763072a02db9727caebbe8e

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

MD5 c5ad1903526a9ca4c2f55cfea1e22778
SHA1 9c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA256 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512 e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

MD5 b4b4c703bf5c6c0b5e9c57f05012d234
SHA1 929aee49e800e88b4b01f4a449fa86715d882e42
SHA256 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA512 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm

MD5 2b42be10ddde43a0b6c2e461beae293a
SHA1 53888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512 be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll

MD5 39f7a2e4e5493a25ff8597413372d8d7
SHA1 4dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1
SHA256 6b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8
SHA512 80063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\setup.cfg

MD5 1c1eb59705cc6888811f3019aa3be6dc
SHA1 561a22bb405b8e77cfa062dcbb8ce2589b23bd46
SHA256 82602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc
SHA512 17ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

MD5 183330feb3b9701fec096dcbfd8e67e4
SHA1 2f43379fefa868319a2baae7998cc62dc2fc201d
SHA256 ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

MD5 20704171f1c20337f7348ae4dab809bf
SHA1 c0a8e284cab4e843bfd9cea49e221efabc971596
SHA256 03d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e
SHA512 47b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e

\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5NetworkKso.dll

MD5 c2d146a5359002a751ca8ac02a2af3a7
SHA1 847b3cb0ba52fe77869800accba3feef4486c2a5
SHA256 e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae
SHA512 de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a

\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\api-ms-win-core-synch-l1-2-0.dll

MD5 eb6f7af7eed6aa9ab03495b62fd3563f
SHA1 5a60eebe67ed90f3171970f8339e1404ca1bb311
SHA256 148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02
SHA512 a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875

memory/1824-3940-0x0000000037450000-0x0000000037460000-memory.dmp

memory/1824-3942-0x0000000070750000-0x0000000071099000-memory.dmp

memory/1824-3944-0x000000006D500000-0x00000000704F6000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

MD5 b719be776167213ac6d5bfafb1cb2612
SHA1 edfe0028b5e1ae4171493b077dc332872d4f83ff
SHA256 e78c7d53f11d2c96244baea939ea77b3761abdbc75912812060ab3e8aa938e44
SHA512 56e2a24da00d5d4df5838e9dffb42a7ccb19ec3a4b2ff74858ccdbd7b3d3444907581b5ea426670a4b85b5a229d84441eb7fec023d2eb7ceb366c2f6b387f7bc

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_06_11.log

MD5 93bdabeac873fb56f049f9659336240f
SHA1 1a55f154a232aad1618c5bfde1a195a91cbde339
SHA256 92102d802bb9b64be87e1ac0b68c1310044cbe62ee2bee7c4241ae5f1fce6ada
SHA512 d26d892edcfb9841942b5fb61699de5b0040b764ed73f5bcccdd53b6514069773b87f0bb2eaf536027fc9d5b55e97b6e014a9e5b5eab9e6470a7c9685a04646c

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe

MD5 2ce8dfb2a53e622411af4f8078d1535f
SHA1 ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225
SHA256 90331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747
SHA512 d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882

memory/2908-4020-0x000000006EAF0000-0x000000006EB00000-memory.dmp

memory/2908-4021-0x000000006EB10000-0x000000006EB20000-memory.dmp

memory/1672-4022-0x0000000037140000-0x0000000037150000-memory.dmp

memory/1672-4023-0x00000000371C0000-0x00000000371D0000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\oem.ini

MD5 223673e5e8d77083765b70ddf7a0f7f6
SHA1 3b5c4d6304ed6ada0ec607f44a2aace24ec16126
SHA256 9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82
SHA512 62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52

C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

MD5 d32df04f1fcdc8da53d9fdc14b69973b
SHA1 df451f4c5730f9d2f21ab2618491ba376d96ae67
SHA256 33450b8e8df01d1d106dbb8928d63147a8f72e68fe6f3767511a3c0c51a89dbd
SHA512 d4cf7270b5f6e065fa06b275b3e4c337ac9e39cbd83e7f6e675187600bcfc501da466ac624225cac4b4eb7a1606a372e768a626b0675d2d35e2f518af28527f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KST91PQYBPI7MYTON1P5.temp

MD5 a6cf09d5cabc878da43ec8dabed4554d
SHA1 15d296f66e0a10c05168ab3fc6ca4ed33c28c493
SHA256 e4de3962a4d019bf691fff7cdb4322bb47d430728cc93918ef332cb8afdbe28f
SHA512 8a274c590b471075b055a5b7fb376d560194a083b8fe04f937320169d1c03a689650321512c0296384c7828d3c5708404d393fb6f57d0c1cb80bd39ac861ab02

C:\Users\Admin\AppData\Local\Temp\CabA1EC.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA1FF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/780-4450-0x0000000002A90000-0x0000000002BEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\plgpack.plgx

MD5 5fc4ddb38cb10ee798c5c8ba890be8bd
SHA1 738a8d1f6ec8bc690c387d5991cc8cdc7e7f79a7
SHA256 bd077d51c874220b491058034a3ef9ef147a90399d83cde38ee27cbef68bb0f4
SHA512 60036016d454732336e7507c5b6101f7b0b474bf80f8f9099ab38bc8bfc3eebea31794f95ec4e91e55d280bf7236577b4ee248c7da6c98a4c2a532a7f98f5270

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

MD5 134d92d41c65fcc5562379cc2842f786
SHA1 f628fa2b086ded3d6bef53e107c5ed4433cdc408
SHA256 1c4b37edb30af230503a6632d6e6e23e8ed3cf75fa700d5b0187257a40947dcb
SHA512 a41e90d26e214dc77749791fa76440d05dbcfe153100bd720a9ef06891bf8129d052ca8e2021cb4586c2d06a923fe023f76773b71cacf188df78d6a6ce7942dc

memory/576-4619-0x000000006F950000-0x00000000704FD000-memory.dmp

memory/2796-4653-0x0000000073BB0000-0x0000000073BD3000-memory.dmp

memory/2796-4652-0x0000000073C50000-0x0000000073D99000-memory.dmp

memory/2796-4651-0x0000000072A10000-0x0000000072E81000-memory.dmp

memory/2796-4650-0x0000000073DA0000-0x0000000073DFE000-memory.dmp

memory/2796-4649-0x0000000073E00000-0x0000000073E03000-memory.dmp

memory/2796-4648-0x0000000073E10000-0x0000000073E15000-memory.dmp

memory/2796-4647-0x0000000073E20000-0x0000000073E23000-memory.dmp

memory/2796-4646-0x0000000073E30000-0x0000000073E33000-memory.dmp

memory/2796-4645-0x0000000073E40000-0x0000000073E43000-memory.dmp

memory/2796-4644-0x0000000073E50000-0x0000000073E53000-memory.dmp

memory/2796-4643-0x0000000073E60000-0x0000000073E64000-memory.dmp

memory/2796-4642-0x0000000073E70000-0x0000000073E74000-memory.dmp

memory/2796-4641-0x0000000073E80000-0x0000000073E84000-memory.dmp

memory/2796-4640-0x0000000073E90000-0x0000000073E93000-memory.dmp

memory/2796-4639-0x0000000073EA0000-0x0000000073EA4000-memory.dmp

memory/2796-4638-0x0000000074700000-0x0000000074714000-memory.dmp

memory/2796-4637-0x0000000073EB0000-0x0000000073F1F000-memory.dmp

memory/2796-4636-0x0000000072E90000-0x0000000073393000-memory.dmp

memory/2796-4635-0x00000000733A0000-0x00000000738F7000-memory.dmp

memory/2796-4634-0x0000000073F20000-0x0000000073FA1000-memory.dmp

memory/2796-4633-0x0000000073FB0000-0x000000007429A000-memory.dmp

memory/2796-4632-0x0000000074760000-0x0000000074763000-memory.dmp

memory/2796-4631-0x0000000074770000-0x0000000074773000-memory.dmp

memory/2796-4630-0x0000000074780000-0x0000000074783000-memory.dmp

memory/2796-4629-0x0000000074790000-0x0000000074793000-memory.dmp

memory/2796-4628-0x00000000747A0000-0x00000000747A3000-memory.dmp

memory/2796-4627-0x00000000742A0000-0x00000000743BF000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Local Storage\leveldb\CURRENT~RFf76b471.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\res\static\js\manifest.js

MD5 af5a4ff62384fe67791d8cde9176ac0d
SHA1 cf5aa9528fe795b75a569352466ad944652185c8
SHA256 5d1122539ce1ae98804e216cbfcada9f2603fe4f86454b2b29e7d7448da97891
SHA512 f78a72b7ba06b257fec3a97bb62d20f7562212e995d62438bfe3d8181fe7f56c3e14194e9203e64b0e259a7cbdd900125f5f185bc8d736c881f8ca0e2920273d

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\download.7z

MD5 f9ff8d5420b4e94b56438939a0e5dd44
SHA1 200ed59ff1a7c7c031f40ca11fddfff1591a2b44
SHA256 b693e86dc4cc14fbc3dd769fc6f74d312c05bf927dd1bf5ae338c419f853b853
SHA512 dcd3bca7f2a550e13ca43f0f9af59a12b5f7f10c9762802c97c7ef308353ddb23e2b87d42d306f967beb6684f4da727a1b3785466cf2c1ee73dcd4aa8e09f3e9

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.123\download.7z

MD5 74432b07c0d487222b7e2cbf41f64cf6
SHA1 f8848146f77d934e0fdc5357ae7e250f317477af
SHA256 2900cd45164c200a4d9dd39f77bec89926564a87f6228fc3fee1a6058728e3f2
SHA512 17cd2d8ff90f3b8dd251099cde43ceb8bb342484295a52d3f587ffad462c4fd9f6418b35452ac7075bf421fce380c75b0aea164319b7bb2db20146c3efa76f72

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\res\index.html

MD5 66bbeb8733bee0c788685880cc46acc5
SHA1 07d104aa23fd4ad765095ea771667e1440ac6bca
SHA256 faf96f1472b09c6eed78da690151b5b57133733e2f562dc6678602746a79342b
SHA512 2d919a92b2c425d0f08d609fd825de151c5ce54cd31d83405054fa84194c85568ba512af4f1b38136c12152764ae0ae34441f36b4f23ed5ae74438502b0d1558

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.123\run.ini

MD5 da4b75c3d70c08be415e7b25abdc11cf
SHA1 c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225
SHA256 e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36
SHA512 0fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\KWPSUpdateMindBubble\plugin.plg

MD5 7ac31d26b13c6f217ba8a3b10ef3dd8d
SHA1 457193d0fff37ad6c0ae6acbd4cd71acba253fea
SHA256 9835b153474bc9aaaafbd3036a03810bbb8f21406ac8aa70e0c0b59484d5e202
SHA512 d0892d26e2f18ba2d57c73ebc5de9a749c1bde385993faa6b31e45b565da44ce96f665263d2b4a68d76cda596d4e7a0c0c194535d2d8d37aa7c082394b72a303

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kuserinfomenu_1.1.2024.1\mui\default\icons_svg.data

MD5 15801a93c46565187d560863a0061791
SHA1 515475c176bf8d4ea28721ad8a41a63730f64617
SHA256 eb89917938b1c7f84eab66320d4424793a2eca6cce0e30ed994b7c2891bc0d48
SHA512 ae5ebbf60fe06f11f0f2afc3e8c6640bf73a444c60bb9181366fe4ed80dc776c50838e6e9c56fd11fd04e166237ce742b4d6e5efcf8646bc50ea2501005c14dd

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\krpt_1.0.0.107\download.7z

MD5 0edafbd62638a75ae8b4debc9fd0b3db
SHA1 814e953384ee2771bfcde0584b0f6f5691217ede
SHA256 3332953a07daf624094590bc8d2bf9d4ff1ec12c53a43a7310efa11c7cfb71e8
SHA512 ab42c6b7922f7137779417bdb5246ff660133f8d566a54fd067ecf787d27ffaee1d65704a4b9574a6fffede9b497b93638f558ff2689d375017d5b074ec88120

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photoforceasso_xa_1.0.0.1\download.7z

MD5 890018bbb3ab5d25a6c1737e7f128bab
SHA1 50f258af178afdc80bfd32b4d5ceea74eb3fb312
SHA256 5f2b53d5348ee9d43f2f4eeb15443af7b236f27fd699453685c32fe98ad79e7a
SHA512 cecebba4846a8bff6bfee6a0ad89361e3d39f8f2775b68dee22a0a96c1a0ee3792ce0749295a38ae6d004a60dc8a9894b935d520a651fa192a30781c8543556b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kuserinfomenu_1.1.2024.1\download.7z

MD5 047838d673c348c89a467b4c0fa4cbd0
SHA1 d93a46e534422f62fec109c4098902991eb08276
SHA256 a5c428cace8a68799441b01ed3ab62e528c0a1b01862c533b2d1770824dd6129
SHA512 0e8c010162bd5f204824df5d9c0900199585db5a777915d36ac4fad4871210d798167ea87b2818990807ef0986c940b258643fb6cab260394497135aa402a170

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photoforceasso_xa_1.0.0.1\run.ini

MD5 82cb83edcdc6d19d3e10dd42ede04a54
SHA1 3a9dd33485800ad156f7fba8c637ee59e4ba2d4d
SHA256 a11a80d525c8dbadbbfa8bdcee6dc6b5d84a947d44cf0ef2ba1ed1c9b51cf392
SHA512 eea882b5030d21a6c88d53afcebfc399a4523062b3d6c99aed9f7eafaff1483f0eece912f75fb11c30f48af645bfe157afd33ec8047249d3f79c39dee057d599

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\photoforceasso_xa_1.0.0.1.ini

MD5 508370f78327c666be4501d073812950
SHA1 874374d638d491266da8a4b5ef905002c28c2f38
SHA256 aec368c859cab36a2ca31d36941af40e15a26a8f85eee679be85f45625e91da1
SHA512 c905ad292f7c695c0260f3310e27913c555bf3763e864bc2e1f90829a748c1cf7fcb53aca2314607383cf321782827674d2715b784821334d637b57d5383a084

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\res\popupVideo\img\icon-close.svg

MD5 638afc2355d020561133690e6ef849bd
SHA1 1014cd4cc2b7647ef82044dbacaf0d6926aace7b
SHA256 3b315efb51c084c848ee511dc462eca1b28a6b1c149aa4befe3b98d26281db4b
SHA512 dfd817879a8e772b485d73881114a9e9bcccf29884d0f941bac614667faa4c6c38a971e4d0bb94a7390c6afb069b5bac4a20f67d347f90b5ecbf63a85ffd742b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\download.7z

MD5 7be45b4650a019a60c8eae76b6e1f0b8
SHA1 ddb17c729a0b515b7fbf8bfbee887746dcdfbc3b
SHA256 988a9b41dba2fe2d576416c2ac9fa8c72ed9a1f541bfec4d126a209274dd812c
SHA512 3551447079c21d0934828ebb769d0b4326e5d6c6552885c9824080862d09c48324210b63e25bc1041dddf8ba32528031c97e8d37bc44d78b6bf2fa7183d66905

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\res\popupVideo\img\icon-close-hover.svg

MD5 2ba5639af3d54e842950dd70111494f8
SHA1 f893ff8e9ea8e7df7512ca51640b3535b8d36603
SHA256 34bde4a261024c7f1765684836ca58df2928d35069b9e35913a79274b22f60e6
SHA512 e026d283adcd1c8f5c7a6d4e68b17754ecce0374e4fc1317ead694a078ec2268d9cdc8924fb8d2b36ce60835399598e508874e552ff74e9fa5d90fa65ddee013

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\mui\es_MX\kdiagnostictool.qm

MD5 5afc7d8ba894df59c2b3f44726cfc2db
SHA1 a21a7a8fd943455fa47cc5d950603bf1bc5a145a
SHA256 4824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be
SHA512 a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\mui\fr_FR\kdiagnostictool.qm

MD5 62f3720e184f094c874fe0eab7f0f598
SHA1 cdd858a80bbd1268e7c5278ebe19c35659871d2b
SHA256 bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14
SHA512 14f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\download.7z

MD5 fd1d8a9edeeb153f9e53d1e2522e3d70
SHA1 53807b925cfc9ad101005983cbcb98e14163353f
SHA256 d8ae5a02687c2936552f691858150bf3286236bf31a6014e6655e576c55c234a
SHA512 4e50a7f2b9030e607a3658942de482129a2a4cc8d965d70a46b7fefd7bbe379368846bde4c99e131035069e3f9bb86386a1797214885678354a38d13d599fcd4

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsinco_xa_ksolite_1.0.2024.3\download.7z

MD5 7b979dd63724d952a1422473776c4757
SHA1 c8b2b477d6f52ce01ebf87d1c00cd1886b3577b0
SHA256 6b32a77b31621df79ae220ed6bf24558319c438230af2cf21292fdfbcb69f1e2
SHA512 345eaa9f8d801670d517de34baf24114807dd5f92189744512561370627fc48468fef0e0b9718ae249715b97a8cd304bc619f97ee35adc3177c363195e6d69bc

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsinco_xa_ksolite_1.0.2024.3\run.ini

MD5 235c61a9b48849f011b96ad861d1606c
SHA1 5ca11e0f37f20499be6583d85cbbdb91419aaa89
SHA256 7b304b743ca6598f385a05c8c39408ae2cd406d2190e49eaf28989059dec4492
SHA512 ca75e4170f0c9842cceac6c6f69bae606ef57cb246765272d4da763cbb6d1d37dbff775a45cf592064f004d60eeee507ac04549ba91d2073113c803aa081a7c5

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2023.32\download.7z

MD5 6e2fc2eede73e3efa5fff9333ff40c9d
SHA1 00cc9b3c84780d65e4aa4edbb19303974e9a200d
SHA256 845b89c37d4cd41b04623b5e8804d69aef323b18b1d2dcc860777e776c048012
SHA512 d5c1e13d93b12ac0eed567dc0063cf83e68b9d3edd03756f0b4380521f9e974a31878c0213e81bfa38510c6016a7b71edc16bbb06bbc5ff89acbba9d8ac1d54e

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2023.32\run.ini

MD5 ad3a68e7d8c8bf2470282567d8ca7ded
SHA1 addb5ab04165b4743ffb985918c08ba0a76a6eae
SHA256 27e743bc78f9a2862d822fc171789160905ee26545466f93052f8565aebd523f
SHA512 c8e4b63fb79c365cb48a0ee0c4351f6f94da9ba8ce62f0b14d8ed45726ebaa478f581efb37e254e75e1c561f5ffa1d8985e867957c68c04b8eaaa2945e838505

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Local Storage\leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\chromeguide\plugin.plg

MD5 85920fc5aae6425b2c5eb46507500e1e
SHA1 43b85ac7a1e0b4ab83313b5df0997a6595bbbe12
SHA256 18f743d7cd9582bb7d37a2e1fef73e6c2192c8c4119feebeed6f9590496590a3
SHA512 2c865624618a16c2de85ba93b05a41ca3638fc04b867962ef7b1550f43c6d732dc4b3da84764f9b8584bb5dd645faf286c4e2aacb2e54c9acc22489570deb465

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\et\plugin.plg

MD5 b330323d4f3e9c5f65d4090068fad2f2
SHA1 3cff5b78ea82f6e628809523ab3ef8adb737f097
SHA256 a42b0f39532aa7ee9dd68d92a60177bc75e13e44f051b36bc24f0ed4dcc30eb3
SHA512 a47f5e0a8ca11d78a7edf8ef7d26e4ec2129c1d055f33a933d99fbf1cb287e06e9aa208e74b5b09ee210332fdaa44df17ea432baa3630af19f9bc16466abff6d

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\kappframework\plugin.plg

MD5 c480aa9ecbeca164f2c4b65703735f88
SHA1 bad457b7be00fe8c88321e6dcc14b4e914164ecc
SHA256 407b17b8ebbc8ebf024c4a0c89c7975ee52c02c4fd4be90a07f9129ae7651cf6
SHA512 f6f9ad841c5e6541511106ab7c5224b1bc2e4655ab853c7b43af91f6fd8caa009fca424cb65c72210fee3a26f478d89401fb4024a1fd5d27bdc7112106615b69

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\pdf\plugin.plg

MD5 368d5dc1b407ffa7eb2d490d048de943
SHA1 2cb8d6b77fecfd621391f9378e2210f3d60190f0
SHA256 16c0708490c449ff61dfa3284313554ce44ef6b96a325f4818bd1e0bcdca04f9
SHA512 7bf235117d9b6fd04ef72fb3763bcff44755896785dad7dd432142fb9b5b2a736cfdda20d10c22a1140aeca0392e058ffd666d412e4ad6fc426d7445c8bfc783

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\pdf2word\plugin.plg

MD5 6a13e38dc5123fd5fe9c4e971e3fe7dc
SHA1 21ab4a505400a46a11366e27ef7bb538e04c61d2
SHA256 20f46b032a3f1e85daf1ad3819fe705fc386e5e975e53627a15f4ca1119a9c76
SHA512 ea89b0fa5a23d0f9d070dd5838aaf77bd100b1c9cec3c73e81146297ab5b4fd08ac9d9adc084f8bc1135f65e5d678942cab54a4860e6dc9ae11d3409a33f7ee5

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\photo\plugin.plg

MD5 64e11ec8259d13542ff86c5fee3b6ff5
SHA1 3c3f098e58e83b4ffea387ea030b2862340477fe
SHA256 424ab36ab8117d38888f5bbdde9610e5dd29c35022893ed2b85acfd7b080158b
SHA512 6677e9e464d6559c65b8377eba5d1570c721193d7bbf681392c5f037e64984cea3d7fdfdff6f215643b34bb4a92771c000e01c1dca704b30fe7ee20177e1325b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\qing\plugin.plg

MD5 5509ef75346a8ba1459a3a699304817f
SHA1 377f771755f0be245963cace9ebd4f01f1b60150
SHA256 b1b204e307ea2d74b95d5a07c1c3180c8d15892e8438b8538d487ebafeae4be9
SHA512 14d064f685323f984641d50dc7eb1ebf82596435c3745051104b61717d897cc3a06e387daa6ea5d3d160a468a750dd08969bdf27f987d73483222b189b8aaf55

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wpp\plugin.plg

MD5 5d0bad20a3e197f645bdc6383d3e1b01
SHA1 906d76437fc9b452dafdf868057d42944e4d9a5f
SHA256 a3128523eeebb539908d1361fbf7f2a646d3e9c61dd1bd7093a585d5bf197c88
SHA512 2002ff6652e9713f8ad5e053b7973dee0f4587c2898590da4c75a030fd2f064078fe34f3fc28908054fd25cd6b786d6cff1ebcc4e57be60ae9901404e6b782b7

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wpsoffice\plugin.plg

MD5 404286e0cc214be383c8c544b8ca52ad
SHA1 a6a4f39540d75d7f135910cd55c39833d4dea20f
SHA256 d1d4f345462dc6fc9c8c9c25ddb179f22c6458144564c77b1f86f26f98bcb639
SHA512 ff3d3c80b761ef90e215938cdf8f29d9d412766f926cc5104bf67af050ff777ee6ca8ad2ee3c1d65afa03e86ff655f6d0935d59ed565350f99a69392f3a97d71

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wpsbox\plugin.plg

MD5 4b7fc1e905714c7f4f5aeafd9dbad7d4
SHA1 fe47d5355b9c8c41dc4918ed73cb1590418dae8a
SHA256 d671281d56b664c5e981a446cc9552eed28fa3031ab3f294415a0bf3808bf7db
SHA512 c6d19c02649406d3816caf67344c69f23fd319140e82de4822a377e377cdf1b5b37e261b69e7dd271dd46e4fafe14fef379b02df2369251f5223c7278b77a3f0

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wps\plugin.plg

MD5 4ea68dd71ec5efec0b9c6631117bcb00
SHA1 ff9743032cb0ae2b2ee3d8d93eb035ca6bda3250
SHA256 6446d6e1b64fc7fbfd234d53f645cd04fbf662408065745070d97a7f018accdc
SHA512 28ed1b6dc1de0fe03839d01c143f344f6c226e766a27f7c4df781a35dd0fd9289c941b1621cca570a0eda1547cf00d111ccdc27e8086950f8e45d78821fba634

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.180\download.7z

MD5 63c4fc2706885905af8ecb9e8d6e7587
SHA1 d87bc3aca0ed2f995cbe5420f9d604279c85b4df
SHA256 67014918d74295a7eca03d3edd4d7d35c14271bd731ca50744649ff8a91785df
SHA512 a114cba2736da1c6da68a246076b0f00c6d2596de2f596a97136054efe811e7445e66c38b4a940fd5aa2b7e23d4c8f708516821c51907c1d75e9612c872f9f78

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsbox_1.1.2020.195\download.7z

MD5 41bee6b98088768aebf4fa633def79fa
SHA1 384df283531623cd111f0b524105b85e27903976
SHA256 daee2b78f4e2960a35a6e4de3ffa0dca8068725d0f1b18f6d48a5b06c8e71003
SHA512 6d0c3cb900b00ccb48546fed9e4f633f05f5c61be55ef3f8fc8d3761acfc3d3d2728ee7fc96e5c68ec4a2ffb2531eafa9b5c48701de7feb9f404d1a6c73dc824

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCE3E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fca8df9eb4b97ab02cfd86e21425529d
SHA1 e93d458733d9f1c08674a88ed8090ab3bdfd3765
SHA256 96da214544b9aa30b3550ddd869c54932abc0f8f7c89a3ab8a23d8d3a5c224db
SHA512 156544287b7f02fb7e9082589179b0c8bf86de6fce189c33597e0b503378b272b7be8ebc2a77a71bc62271bd6394285101eb8a52adb60abe318cc372046236cf

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kapplist_1.1.2024.2\download.7z

MD5 e0fc385e5bc52f99af3f7703dbfe0406
SHA1 75ab2b73effe5290f0d58504080cccd3185306b5
SHA256 64302243aae430bdc73fdb272c2858bf2d59615e3a6fbb787cc61d406693c882
SHA512 494d07ba5339df67364f74bb647dd3983ee17cac4971ea60035cd80c6e5f401b929fa6615c465ae74764d6c4d777388ddbfb1dc10cf00749ba7ee695e2b0ca3e

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.8\download.7z

MD5 1765efbf2935f90b026320f5a33bedd4
SHA1 c2acad71c969dd84121d38037a28b24fdb03afb7
SHA256 039acdcbf2758949a2ff728cba011ba4310303fa636ae9789b2c193ae7dbb697
SHA512 9bc6e294a159a0ed82901d6b1702171d4ffd1c0a344ffdbb7d80d9a7fa111daed886d5e0f459830cb0d8602a4299fec5fbf55fb4655fe32ae9e3331cdee14ad3

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidegopremium_xa_1.1.2024.2\download.7z

MD5 69f0121871c4fd001f9bf2c22c8f1852
SHA1 b2155944f37f6ee42ae3b693355a9a1f93972009
SHA256 f7e8bc519704a27bfdab7da117f85392c41b3300e5349c107b397405ce77f0fc
SHA512 e495d74d8c6b4989dd3de5fd3d27e8f3f3af608ccec593b68fcc67f21f7879e211171c91d7e22a0fbfdb5bec80906c4c9ff1f21c8c8a71565ee9f23f521ea788

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\premiumcode\element-icons.ttf

MD5 732389ded34cb9c52dd88271f1345af9
SHA1 8058fc55ef8432832d0b3033680c73702562de0f
SHA256 a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2
SHA512 e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\premiumcode\element-icons.woff

MD5 535877f50039c0cb49a6196a5b7517cd
SHA1 0000c4e27d38f9f8bbe4e58b5ce2477e589507a7
SHA256 ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17
SHA512 da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\vippayment\assist\base64.js

MD5 12477cb6bc99f90086f05e54ea7dcbe8
SHA1 4009eefda873514a6579830888d5f12c50d7b3de
SHA256 6520eca957e8a4d7e68e0dfe17f1cea9d42c6378962f454e7a911ff32e5e6248
SHA512 a7a16f935d71f60bb382622ff781a3cef234865efbaef62ee268163a416bdd9ea285f33c843fb729cf8b8eb6d18a81de5311b01d19b48c998b08d79f29e59d13

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\download.7z

MD5 456952a0266ebde5f96cd1de8e284e9e
SHA1 124d715a75496937de3761b548ea944b07ea2653
SHA256 c2bf7eb754a1eb45fcbd1a1ff8aa7b022e2eb386ee6531a8729fa0e5b332ab70
SHA512 6c04f5fd49d76fc7c86d188a9b664a26ea61f43b39be6d3278c1dd41d3ae58b10240a574aa0a06ec125820df11d71c3107e020ca5017038b4fed31918627f0ea

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photo_1.1.2024.9\download.7z

MD5 52fa9ee47c6ce4d0daf599d851515659
SHA1 f2d5bbbd452e58b999ddc13122dcb740f42c4519
SHA256 f80174e11b2ce95c8325bdad9c8d69ada0835d04c6abae0a6a742566af0c5dc3
SHA512 f794ead891c33dfbe072f122cb72a3cf968da4f426699937d3890d4997c01bed632b9ad7ca24561a4ed777a011eac9181b71ccaa0a8e5080b561258fa90f8954

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Network\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_06_11.log

MD5 7bc295e55a66413e246a056fcb0e3b4c
SHA1 85a6cab2cf05193f7cdb8bc77f33f435e0473c85
SHA256 cc78b6b5f4e8438e0175e3f5a20279aab3efdd6befd2917e4515a59db7cf3a9b
SHA512 65cb35feb9fbe429a281c1184108d4ad05aefa25252c821d79da7fce4ab803ada964f2055035a69be85aade852432e492eedc5014f2b793937d4ef9d87317899

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 12:17

Reported

2024-06-11 12:35

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\refedit.dll" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\ C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wpp /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wpp.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /Automation" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\kwpsmenushellext64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\ = "Player" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{0002095F-0000-0000-C000-000000000046}\ = "Panes" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209D1-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{C1A870A0-850E-4D38-98A7-741CB8C3BCA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{44720440-94BF-4940-926D-4F38FECF2A48}\3.0\HELPDIR C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0317-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020881-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00020928-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020988-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{CAE36175-3818-4C60-BCBF-0645D51EB33B}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209A5-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "PlotArea" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{9149346E-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000244D4-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209ED-0000-0000-C000-000000000046}\ = "SmartTag" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{FA02A26B-6550-45C5-B6F0-80E757CD3482}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{D8252C5E-EB9F-4D74-AA72-C178B128FAC4}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002446F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208CF-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Excel.Application C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209C6-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020958-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{7759D313-9C91-46E3-BF38-3B6E68E0B1C9} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000244E0-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208A3-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{6D3837A4-F05E-409F-9A65-0D22505A49C3}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{BE39F3D4-1B13-11D0-887F-00A0C90F2744}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInDesigner\ = "Addin Class" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020961-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209A1-0000-0000-C000-000000000046}\ = "_LetterContent" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00024439-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002092B-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{766FBB6D-7576-4C00-8CE7-C548751812B3}\TypeLib\ = "{D626EB73-B7C0-45EF-922D-0CDDAEDE12FA}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\VersionIndependentProgID\ = "MSAddnDr.AddInInstance" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0316-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C03CC-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002093C-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024432-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\.ksobak C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000CD100-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020942-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{C75AD98A-74E9-49FE-8BF1-544839CC08A5}\ = "ChartArea" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020926-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{30225CFC-5A71-4FE6-B527-90A52C54AE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{4A304B59-31FF-42DD-B436-7FC9C5DB7559}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244D2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208AE-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WPS.RTF.6\DefaultIcon C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00020972-0000-0000-C000-000000000046}\ = "LineNumbering" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{07B7CC7E-E66C-11D3-9454-00105AA31A08} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000208C2-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244AD-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244AE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024488-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2512 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2512 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2448 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2448 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2448 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2448 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2448 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2448 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1896 wrote to memory of 4044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1896 wrote to memory of 4044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2512 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2512 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2512 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2512 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2512 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2512 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 3744 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 3744 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 3744 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
PID 2448 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2448 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 2448 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 3732 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 3732 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 3732 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 3732 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 3732 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 3732 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
PID 3744 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3744 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3744 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3304 wrote to memory of 756 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3304 wrote to memory of 756 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe

"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"

C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe

"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe" -downpower -msgwndname=wpssetup_message_E581F5A -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E599522 -forceperusermode

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E59F8DD

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 5

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3732 /prv

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"

C:\Windows\system32\regsvr32.exe

/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.wps.com udp
US 8.8.8.8:53 params.wps.com udp
US 8.8.8.8:53 api.wps.com udp
US 8.8.8.8:53 abtest-api.wps.com udp
US 8.8.8.8:53 movip.wps.com udp

Files

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\pl_PL\style.xml

MD5 034f37e6536c1430d55f64168b7e9f05
SHA1 dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA512 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 2526c946e9972c8e6ff274e8ccc0ac23
SHA1 d5615abfc489a34b9349d0d5146fee740b0548d6
SHA256 591cf4a6833cf16b24a441f439600804f5e2192f7985d92bbdf7dc66957b7c5c
SHA512 8dc93feeeafe0f97a2e6b46086641bf8e59b51a77b827143247c9b6fcaf7b0782ca7c73ab478b5e7478a82c39bf683f5720d6ac6aabb3ee5cdadf8f24bbaf42b

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 fd4d0094156b509e2c262432683c58e6
SHA1 3a1a2cc2e919055827503971b9788f70a8aba3fd
SHA256 bd03b5cd2a15cec78ee6ec93e1d77e6b5e0fd7dddfd1af24aee14e6114336c40
SHA512 eb5d8d061387f6375080a497482a90807a25f27a31495d19c82760be8d5b3afb9e875e76872d1b2ba02936dc7f56bd610707eb6899a0e95d2a529ad28c76181f

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\product.dat

MD5 275e4919bf12383eeaae2e35f1aedca2
SHA1 d63a89631852f77f4de039ee5ffd8b46b10e044c
SHA256 d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072
SHA512 b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 6a5eea749583001de63b993fc66496ba
SHA1 fd41691ec4751e85be89917d46454f8533800b4e
SHA256 bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA512 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 5e1b68b67986b1588301c0135f19fc7c
SHA1 957ea47285f7d903cce7530ee34852435de5b5b4
SHA256 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 4e564b66f5d80f10a9f3b214d9910e51
SHA1 b695971b2975e2a5456a1508f305eb4c675bd508
SHA256 0c5ebb0c7b662c4837dd80f93dccf173d4bda54cfbc896e9a80bdcda8bb15f63
SHA512 b3b5488d372efe41e76b9e20425494439f9fef79bda3185f5e3ed31fba2886b40c86773c97fbdc61a0625b30e0d55071c42b3a0cab92e309a1550e00d0186242

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\kpacketui.dll

MD5 24c1c69547498300c8a9fef3d49d1f5b
SHA1 54adfe188efa56fc52438513692c1306f2f23e52
SHA256 c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8
SHA512 7693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5WidgetsKso.dll

MD5 5545333769aa479ed5e4f23f40fccd99
SHA1 c216b59399217290e9f579c1521f0b724d24bf0b
SHA256 a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a
SHA512 e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5CoreKso.dll

MD5 677bc25f723c163aeb9408490bb6b782
SHA1 98f6ca86cd39c974083e4db1b0e193260cf46830
SHA256 87602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb
SHA512 eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 07e26db5ff3902a3f6aa4804d030982d
SHA1 dfcd419b7d1f52d55f679316110e77c66bf2d289
SHA256 0d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9
SHA512 d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 b6753bec77430c645682c3b705b6cc13
SHA1 ac523c5a8ba93cdcccb626b359cbb061d45528ec
SHA256 cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f
SHA512 f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 c86cfa96b6bc8d403cc27fe4bb901394
SHA1 c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9
SHA256 ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1
SHA512 19ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 daecfd1742dfdb76c6a5663c8b3577c5
SHA1 4857af5fc2c4b780b325682210873748448d9e76
SHA256 550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294
SHA512 97848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\vcruntime140.dll

MD5 e51018e4985943c51ff91471f8906504
SHA1 5899aaccdb692dbdffdaa35436c47d17c130cfd0
SHA256 ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d
SHA512 2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\msvcp140.dll

MD5 5fd0772c30a923159055e87395f96d86
SHA1 4a20f687c84eb327e3cb7a4a60fe597666607cf3
SHA256 02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d
SHA512 132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5GuiKso.dll

MD5 0849984cff99db55aba5d085efba5d0e
SHA1 802cdd8163ba992b206c0331b4fb4644bd7ff562
SHA256 e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875
SHA512 cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 523c6a8629b886557c7fe84bbc1786a5
SHA1 0dc9d1fde374d9d5f36f78301d2ceed757ab442e
SHA256 1f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854
SHA512 bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5SvgKso.dll

MD5 e654635510b1aa9482796b2e543b6f9f
SHA1 d3e85dc5709ff4013c9904eec579cc268bcc843b
SHA256 8443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9
SHA512 3b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 acefde25e6466512a9b74f3977cd7a85
SHA1 514e11525e2db7ed1e696aeff899dfc0b09e7ded
SHA256 46cfef693f457047ec3ef407b0b4dce36a71a13af67a7eeb9963518926d6433d
SHA512 dd46c10f34e7fff2643c5d0e7a10fdac200038339815fd5b54887037ba7ac2ec31435f17a2903e610ae741675d80d9cdf851bc7a94c97119c8de212f57817c72

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 753cf983e32fb977ed61377d3dda0d72
SHA1 bed93f092da03dc86bf9071ff238df8551c556a2
SHA256 ed6bab0aa9432787be9260382f5702e7ee2f020dd9fe201d075826fbe3ebf37e
SHA512 4bd88ae89aa9a96e5cedb7d59a99a149b889a0ae5f3f69031042b7c6a03ef7cfee07b21c702da5de9aa3f9b0e1c16287567602a3c4adf9608472bfd6521f69e5

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

MD5 c5ad1903526a9ca4c2f55cfea1e22778
SHA1 9c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA256 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512 e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

MD5 b4b4c703bf5c6c0b5e9c57f05012d234
SHA1 929aee49e800e88b4b01f4a449fa86715d882e42
SHA256 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA512 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm

MD5 2b42be10ddde43a0b6c2e461beae293a
SHA1 53888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512 be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

MD5 12f25aa0d20ffb93e3090157102e08bf
SHA1 5a6144e0b6fce079a83becb5c1f81a0f719a5e99
SHA256 e5f45a8bd92387d17668e5d792604818de865b0113366006658ca4a64d1c87f0
SHA512 884de26e86eccee05b7c7a56f2848f18e6cef783b80d704c89189cb8fff6e4edd258b64d3ed69db9ae40e2c1131b0a251af741d86fed58b8ecf10a9401762ac9

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll

MD5 39f7a2e4e5493a25ff8597413372d8d7
SHA1 4dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1
SHA256 6b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8
SHA512 80063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a

C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\dbghelp.dll

MD5 dcd7b4b0bd0fc4c5f243c1a95cdc040d
SHA1 573a66056afd4c069d3a9e62bf3b68c7d7e4fcbf
SHA256 9e6ed09af796b01f6ac2bcfa210be10558effe750ad41b8ca852bf8de2a25ea7
SHA512 ff336d34dd5146bfe624de62c59cc77eae39489d5fd1a79a1f42bbe4787549c13613463d56a8433a9dcf2d991aa078e20ced695a960d3f056137e845f15b7849

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\setup.cfg

MD5 1c1eb59705cc6888811f3019aa3be6dc
SHA1 561a22bb405b8e77cfa062dcbb8ce2589b23bd46
SHA256 82602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc
SHA512 17ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

MD5 183330feb3b9701fec096dcbfd8e67e4
SHA1 2f43379fefa868319a2baae7998cc62dc2fc201d
SHA256 ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

MD5 20704171f1c20337f7348ae4dab809bf
SHA1 c0a8e284cab4e843bfd9cea49e221efabc971596
SHA256 03d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e
SHA512 47b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5NetworkKso.dll

MD5 c2d146a5359002a751ca8ac02a2af3a7
SHA1 847b3cb0ba52fe77869800accba3feef4486c2a5
SHA256 e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae
SHA512 de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a

memory/2448-3977-0x0000000037A40000-0x0000000037A50000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kbase.dll

MD5 575b0151a48a719119888cef4f7fca12
SHA1 f39c1765f8edf0105722e1443c24de32e25d9de0
SHA256 a789830df17282311db67dae1130e95988b78b1942667b5b13f2ef9e96c0ac2b
SHA512 9831cdfcad069880ba6a772c078d2285bd9a44be80a8ad91df2d01120fededd0526c7ad5a74b78a7cd731b3e54df16ee4f1eaeecb3cde07a1c944aae98920a07

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kconfigcentersdk\kconfigcentersdk.dll

MD5 a889bca455720ef0dfa30338d1a37018
SHA1 c49bdfdd1ce19178cb1aa83efb9f92975b1a9d25
SHA256 3f4e26bc93d7fc1cc54100c319a2b9d8fb83088872769b78e814980fb6f1e005
SHA512 9b5c8fe20debb59833f06edac5e984d53fa74f9999ffeb92b0c0f9350d3e13286e680a561bc139e5cca97e5e52a71a0f7e18cef38ba190055b186284260b20a7

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kmodule\kmodule.dll

MD5 502c4322fc360fd8cc90f59ac863c1a3
SHA1 609a71a48653b68576a539a3c44ec29f50b589a2
SHA256 0f40c5c4d1566d7f71b122c172d4906e98190fcfc88f31c9fbebd3b4d53d6058
SHA512 49872e6efdd63ce7ad42232dc576ac3500dc3d2f2cace4aedfaf2ab9f2af78b80defa424586dd85122b8d88bd898c3f2f72bcb0bf6ee12f611698f4f4029b2f3

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolog.dll

MD5 bb63628c0cc81ff45adb3214342e066e
SHA1 5bb812cad46effac16d0def3eb7014a1f6d3a8b6
SHA256 e796227cb887b8b29d0530817ece2290f42ea491b11561ecdb2ad705e43f67c2
SHA512 a090823be81e4d300fea093be7680b12a9970890de64f27af83375bdf5e869c2d10fb2d3d10fa991ce113c6186e30dc59855b1dedd0c5a399b517a3e7841fe6d

memory/2448-3986-0x000000006FA40000-0x0000000070389000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt.conf

MD5 351fdc16f8e5ec3105aeb289397a06bc
SHA1 115bcf3e66703597ef4fb42acbdf3be37fff221b
SHA256 b54bcf83fa006bf38dc845507e31dd5ae559ed68d45acc12ae1561142661a7d8
SHA512 4cb802df20b51b5bac7ac78f983c191c9c81541204b7ee30683ff55f65694926d144b8003cc504e9c8f16da92ef5d17d5d904050e7915a6615f7c62abec38cae

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolite.dll

MD5 152a690c0d8050b22bde17abd3806345
SHA1 38fd488acab1dbdcc66d88ebec03215c1f0ede85
SHA256 4347c6c4c88c47306731390d5f6085f86eb9d9e1dfcc0058daf8a9efbbe912ed
SHA512 e6558db247c05c7843ca050b3ec1bb3d533d5d1597d2fcab36c5eafd621f62ff280d759d6856ce75ed96dd6dbb0127a19a4ee64a0dc58131cfefe57b88404798

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krpt.dll

MD5 1b75b61532d7793afd8f87ecf476e58b
SHA1 ab906eb2a3f0d18fb77ef6ecaf91550f23cb951d
SHA256 9472440cbcac55b57f3bba8d166e051d81447097496bd51af86b5d943416d74b
SHA512 8ee2d375d1370286c976758c793dcdc9c5568a6f91cbe3c667820e8dfc95a609402ed3d054fad56acd2d4fefc106e0ac9a627b2c26120a2b9d13b7ce99fc6172

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5XmlKso.dll

MD5 c84af4b704317c999fbcae4bfbc0d160
SHA1 18878298def296c5dd9cb62ec12f2d7603d2d0e7
SHA256 b1931aeb9a2b5af056a6875314c85e2936150bd61f536cf8e9a92424a324a29e
SHA512 5c60dd4f6f277543cd68d12f6ecbaa14a58fa2b6dccc111478bf6e633737f9bad072510e7250c698674baf765ebf21d8e07e4b4b74633dc0467b1a8f3e83b2e0

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krt.dll

MD5 dbb70fbe46aa5c9a1c174e56a43f4068
SHA1 e2f0f0f2306cb863cbde6228660a17a98e632bf3
SHA256 3e487777a70672ab2792510e39925e6ca96593394cb02c94737d1d1d648a2ced
SHA512 82b586c10248ba65445eaf23418ce68b1f52266d855c2514883d73a04e36baa42773f61018e042406f05d474cf8f7d697802362da21125868c80c62385a81d78

memory/2448-4000-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_06_11.log

MD5 5d49031a8e5556c1212c2c9c9b1359f3
SHA1 7cfd7a8d3c16c33652c924febbd9b082cb487f31
SHA256 40dfc5aa5c5bc5d903a345b31a24a047573fc37e518239e6905d6cd5560e83ee
SHA512 f2bf7801078b03bb5a596c650d5c22b0468dde4e25657160001a8425dae92f517369893b7d09e0ac99d730a7692352f56ef5de0bcfde12e91533d97ae489e97f

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe

MD5 2ce8dfb2a53e622411af4f8078d1535f
SHA1 ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225
SHA256 90331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747
SHA512 d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882

memory/2344-4061-0x000000006DAD0000-0x000000006DAE0000-memory.dmp

memory/2344-4062-0x000000006DB60000-0x000000006DB70000-memory.dmp

memory/4044-4064-0x00007FF7C2490000-0x00007FF7C24A0000-memory.dmp

memory/4044-4063-0x00007FF7C23F0000-0x00007FF7C2400000-memory.dmp

memory/3312-4073-0x000000006FA40000-0x0000000070389000-memory.dmp

memory/3312-4075-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\oem.ini

MD5 223673e5e8d77083765b70ddf7a0f7f6
SHA1 3b5c4d6304ed6ada0ec607f44a2aace24ec16126
SHA256 9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82
SHA512 62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52

memory/2724-4230-0x000000006FA40000-0x0000000070389000-memory.dmp

memory/5084-4237-0x000000006FA40000-0x0000000070389000-memory.dmp

memory/2724-4233-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

memory/5084-4239-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

MD5 a40d9fb446109cd0282a38d38b987da2
SHA1 213da77bc57b07a7658bd37b4bae0ffca625882e
SHA256 257d0f177c98ec9578f33932f692c5637cb6ee3310c3e5bf9b9966c37ed46eae
SHA512 9e64041c459edbfa7c7e9e9dab53282432aeebfe02ee32e104babee285db6c22363692fea108c775f038ebaa1834dab6ec823c3706acf7008a56d8c554cd3c49

memory/3732-4325-0x000000006FA40000-0x0000000070389000-memory.dmp

memory/3732-4326-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

memory/956-4327-0x000000006FA40000-0x0000000070389000-memory.dmp

memory/956-4328-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B23SUCL7IXVLUCX9QF1X.temp

MD5 0dcdf4b7a84a3f63ec4fc93281076a84
SHA1 9bb55ae32f0060be23d49379ac7aba0d9a5fd72e
SHA256 550302e5ff6e6a665c70a436e78b1998aba04db213e0a8f4e8acd5b3bdba4f70
SHA512 013838caf860a2e8007de4d22d6c6b62c65f6587465a49b0dda71ddada6355ba587e5483d848b4cb02cc8da8cdb31b109af8aedbeec7a45c81c9688bae977d54