Analysis Overview
SHA256
317debaf5cd447549e448e6b929b3e2ea5ae54864b35dbb18833e7a87e6a1636
Threat Level: Shows suspicious behavior
The file 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Checks computer location settings
Registers COM server for autorun
Modifies system executable filetype association
Executes dropped EXE
Checks installed software on the system
Drops file in Program Files directory
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 12:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 12:17
Reported
2024-06-11 12:33
Platform
win7-20240221-en
Max time kernel
53s
Max time network
59s
Command Line
Signatures
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" | C:\Windows\system32\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700070002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\ | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\kwpsmenushellext64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wpp.exe /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\refedit.dll" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Preview" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\WPP.POTM.6\shell\print\ = "&Print" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{F1B14F40-5C32-4C8C-B5B2-DE537BB6B89D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{65E515D5-F50B-4951-8F38-FA6AC8707387}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{799A6814-EA41-11D3-87CC-00105AA31A34}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934DE-5A91-11CF-8700-00AA0060263B} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00024499-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.arw\OpenWithProgids\WPS.PIC.arw | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\MiscStatus | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209A2-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{4DACC469-630B-457E-9C8F-08158D57FC7C}\ = "FullSeriesCollection" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{BA72E551-4FF5-48F4-8215-5505F990966F}\ = "SectionProperties" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020990-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020875-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024423-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sldm\OpenWithProgids\WPP.SLDM.6 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209A7-0000-0000-C000-000000000046}\ = "Zooms" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{3E061A7E-67AD-4EAA-BC1E-55057D5E596F}\ = "OMathMat" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{CDDE3804-2064-11CF-867F-00AA005FF34A}\ = "_dispReferences_Events" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C03F1-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C0362-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C037B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00020950-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024470-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000C172C-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C037E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000244BC-0000-0000-C000-000000000046}\ = "SparkVerticalAxis" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000C1711-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\ = "XMLSchemaReference" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024424-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{0002092C-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.SecDocument.9\CLSID\ = "{00020906-0000-4b30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{99755F80-FE96-4F7D-B636-B8E800E54F44} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{E598E358-2852-42D4-8775-160BD91B7244}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00024480-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000244BF-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KMSO2PdfPlugins.Component | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C03C7-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.SLK\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,23" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\SystemFileAssociations\.xlsm\TypeOverlay = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,3" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000208D6-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000208C4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000244E8-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{0002E11A-0000-0000-C000-000000000046}\TypeLib\Version = "5.3" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{0002094A-0000-0000-C000-000000000046}\ = "Cells" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{0002096F-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.Addin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,21" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{2503B6EE-0889-44DF-B920-6D6F9659DEA3} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020999-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024423-0000-0000-C000-000000000046}\ = "CustomView" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.Document.9\ = "WPS Writer Document" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024478-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00020866-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\WPS.Dotm.6\ = "Microsoft Word 2007 Macro-Enabled Template" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.Xlt.6 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209B0-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.Document.12\shell\edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps \"%1\"" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{BF043168-F4DE-4E7C-B206-741A8B3EF71A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe" -downpower -msgwndname=wpssetup_message_F763208 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f762f79\
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_F76896B -forceperusermode
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_F769695
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 5
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2520 /prv
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" /from:setup
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" -createtask
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\html2pdf\html2pdf.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\\office6\ksomisc.exe" -defragment
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=autostart_after_install
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -getonlineparam -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -getabtest -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe
"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2248 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:2
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe
"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2600 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:8
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2900 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3020 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe
"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2244 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:2
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.123/kdocreminder.dll
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.123/kdocreminder.dll
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/photoforceasso_xa_1.0.0.1/photoforceasso_xa.dll -EntryPoint=EntryPoint
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -assopic -type=silent .pcx|.tga|.wdp|.wap|.wbm|.wbmp|.pbm|.ppm|.pgm|.ras|.xbm|.xpm|.arw|.cr2|.cr3|.crw|.nef|.orf|.pef|.raf|.dng|.heic|.mrw|.rw2|.x3f|.psd|.psb|.ai|.emf|.ico
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run /InstanceId=wpsdesktop -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kwpsbubble_1.0.2023.32/kwpsbubble_xa.dll
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe
"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1064 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:2
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe
"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1572 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:8
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=776 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1868 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe
"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1388 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:2
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3168 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3288 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" /from:ksoend /source:ksoend
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.wps.com | udp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| US | 8.8.8.8:53 | params.wps.com | udp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| US | 8.8.8.8:53 | abtest-api.wps.com | udp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 8.8.8.8:53 | dyn.kingsoftstore.com | udp |
| US | 52.32.145.13:443 | dyn.kingsoftstore.com | tcp |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 8.8.8.8:53 | dyn.kingsoftstore.com | udp |
| US | 44.231.200.92:443 | dyn.kingsoftstore.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 8.8.8.8:53 | cloud.wpscdn.com | udp |
| IT | 18.65.82.2:443 | cloud.wpscdn.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| IT | 18.65.82.2:443 | cloud.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | ai.wps.com | udp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | api-ad-adapter.wps.com | udp |
| FR | 90.84.189.232:443 | api-ad-adapter.wps.com | tcp |
| FR | 90.84.189.232:443 | api-ad-adapter.wps.com | tcp |
| US | 8.8.8.8:53 | abroadad.cache.wpscdn.com | udp |
| IT | 18.65.64.73:443 | abroadad.cache.wpscdn.com | tcp |
| IT | 18.65.64.73:443 | abroadad.cache.wpscdn.com | tcp |
| IT | 18.65.64.73:443 | abroadad.cache.wpscdn.com | tcp |
| IT | 18.65.64.73:443 | abroadad.cache.wpscdn.com | tcp |
| IT | 18.65.64.73:443 | abroadad.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| FR | 90.84.175.86:443 | ai.wps.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | ovs-activity.wps.com | udp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| US | 8.8.8.8:53 | d19a1mtic3m6gl.cloudfront.net | udp |
| IT | 18.65.64.50:443 | d19a1mtic3m6gl.cloudfront.net | tcp |
| IT | 18.65.64.50:443 | d19a1mtic3m6gl.cloudfront.net | tcp |
| IT | 18.65.64.50:443 | d19a1mtic3m6gl.cloudfront.net | tcp |
| IT | 18.65.64.50:443 | d19a1mtic3m6gl.cloudfront.net | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | firebase.googleapis.com | udp |
| US | 8.8.8.8:53 | d19a1mtic3m6gl.cloudfront.net | udp |
| IT | 18.65.64.128:443 | d19a1mtic3m6gl.cloudfront.net | tcp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 216.239.32.181:443 | analytics.google.com | tcp |
| US | 216.239.32.181:443 | analytics.google.com | tcp |
| BE | 74.125.71.156:443 | stats.g.doubleclick.net | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 216.239.36.181:443 | analytics.google.com | udp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | update.kingsoftstore.com | udp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| US | 54.69.147.146:443 | update.kingsoftstore.com | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| FR | 90.84.175.86:443 | ovs-activity.wps.com | tcp |
| US | 104.16.84.69:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\pl_PL\style.xml
| MD5 | 034f37e6536c1430d55f64168b7e9f05 |
| SHA1 | dd08c0ef0d086dfbe59797990a74dab14fc850e2 |
| SHA256 | 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384 |
| SHA512 | 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 399d2ed883dd737e480b5c434d2ca1d1 |
| SHA1 | a3c7df390ec8ef93a84ced4ba7216735a696be70 |
| SHA256 | 11b504e8eef38b1ebeb9e626d3bebb8fc5ff53e325685d628941523340b35271 |
| SHA512 | 574d8a3230821d0852a89832fdfba9d1fc777df40aa10c483a31a8cac2a36cf356ba54fee27e27b097c31c8758b0f32863d8b4f6b0147403d286d0c3f84c119e |
memory/2796-182-0x0000000000190000-0x0000000000192000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | ac77f5be67533f8b44d788204583d224 |
| SHA1 | 9dfb1713d8df8b3f727dc9e8ef5c4be0a491a9b7 |
| SHA256 | d58cb20d298399f4772ff4058924beb21775349f8866534b772be2fdde336b00 |
| SHA512 | 7ad98ce00761cd577379487857b22f897296f337848828a1b77c9812288bfbecf0d5783f17d60ee222e291943902887bce0b8ad604b7a699597b36f88ea5dbbf |
C:\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\product.dat
| MD5 | 275e4919bf12383eeaae2e35f1aedca2 |
| SHA1 | d63a89631852f77f4de039ee5ffd8b46b10e044c |
| SHA256 | d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072 |
| SHA512 | b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 6a5eea749583001de63b993fc66496ba |
| SHA1 | fd41691ec4751e85be89917d46454f8533800b4e |
| SHA256 | bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60 |
| SHA512 | 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | e96c7039d75eb9f9eff0555613851daf |
| SHA1 | bdcd9e2eed7de2d7c98bd9a28e3cf00f864a7899 |
| SHA256 | c761c92e278e64a044f744bd4f25add4a66fd1bbf0e39c03da22397f4467173c |
| SHA512 | d541d832b65ecf4a63bbd2aff5cb91944241c9637b9f2d2210a5a141a0054536876ccf1a884924e12cec832dd2af7330374cd118157f758274bdac353d8eadd9 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 5e1b68b67986b1588301c0135f19fc7c |
| SHA1 | 957ea47285f7d903cce7530ee34852435de5b5b4 |
| SHA256 | 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc |
| SHA512 | 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 21519f4d5f1fea53532a0b152910ef8b |
| SHA1 | 7833ac2c20263c8be42f67151f9234eb8e4a5515 |
| SHA256 | 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1 |
| SHA512 | 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | b5c8334a10b191031769d5de01df9459 |
| SHA1 | 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969 |
| SHA256 | 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d |
| SHA512 | 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll
| MD5 | cd3cec3d65ae62fdf044f720245f29c0 |
| SHA1 | c4643779a0f0f377323503f2db8d2e4d74c738ca |
| SHA256 | 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141 |
| SHA512 | aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 86421619dad87870e5f3cc0beb1f7963 |
| SHA1 | 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2 |
| SHA256 | 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab |
| SHA512 | dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll
| MD5 | b181124928d8eb7b6caa0c2c759155cb |
| SHA1 | 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a |
| SHA256 | 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77 |
| SHA512 | 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\kpacketui.dll
| MD5 | 24c1c69547498300c8a9fef3d49d1f5b |
| SHA1 | 54adfe188efa56fc52438513692c1306f2f23e52 |
| SHA256 | c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8 |
| SHA512 | 7693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 523c6a8629b886557c7fe84bbc1786a5 |
| SHA1 | 0dc9d1fde374d9d5f36f78301d2ceed757ab442e |
| SHA256 | 1f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854 |
| SHA512 | bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5GuiKso.dll
| MD5 | 0849984cff99db55aba5d085efba5d0e |
| SHA1 | 802cdd8163ba992b206c0331b4fb4644bd7ff562 |
| SHA256 | e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875 |
| SHA512 | cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5CoreKso.dll
| MD5 | 677bc25f723c163aeb9408490bb6b782 |
| SHA1 | 98f6ca86cd39c974083e4db1b0e193260cf46830 |
| SHA256 | 87602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb |
| SHA512 | eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\msvcp140.dll
| MD5 | 5fd0772c30a923159055e87395f96d86 |
| SHA1 | 4a20f687c84eb327e3cb7a4a60fe597666607cf3 |
| SHA256 | 02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d |
| SHA512 | 132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 4f06da894ea013a5e18b8b84a9836d5a |
| SHA1 | 40cf36e07b738aa8bba58bc5587643326ff412a9 |
| SHA256 | 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732 |
| SHA512 | 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\vcruntime140.dll
| MD5 | e51018e4985943c51ff91471f8906504 |
| SHA1 | 5899aaccdb692dbdffdaa35436c47d17c130cfd0 |
| SHA256 | ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d |
| SHA512 | 2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 50b721a0c945abe3edca6bcee2a70c6c |
| SHA1 | f35b3157818d4a5af3486b5e2e70bb510ac05eff |
| SHA256 | db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d |
| SHA512 | ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 88f89d0f2bd5748ed1af75889e715e6a |
| SHA1 | 8ada489b9ff33530a3fb7161cc07b5b11dfb8909 |
| SHA256 | 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc |
| SHA512 | 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | a1b6cebd3d7a8b25b9a9cbc18d03a00c |
| SHA1 | 5516de099c49e0e6d1224286c3dc9b4d7985e913 |
| SHA256 | 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362 |
| SHA512 | a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 5765103e1f5412c43295bd752ccaea03 |
| SHA1 | 6913bf1624599e55680a0292e22c89cab559db81 |
| SHA256 | 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4 |
| SHA512 | 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll
| MD5 | f364190706414020c02cf4d531e0229d |
| SHA1 | 5899230b0d7ad96121c3be0df99235ddd8a47dc6 |
| SHA256 | a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2 |
| SHA512 | a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | a6a9dfb31be2510f6dbfedd476c6d15a |
| SHA1 | cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7 |
| SHA256 | 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c |
| SHA512 | b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll
| MD5 | d0b6a2caec62f5477e4e36b991563041 |
| SHA1 | 8396e1e02dace6ae4dde33b3e432a3581bc38f5d |
| SHA256 | fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf |
| SHA512 | 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 0979785e3ef8137cdd47c797adcb96e3 |
| SHA1 | 4051c6eb37a4c0dba47b58301e63df76bff347dd |
| SHA256 | d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257 |
| SHA512 | e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 461d5af3277efb5f000b9df826581b80 |
| SHA1 | 935b00c88c2065f98746e2b4353d4369216f1812 |
| SHA256 | f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf |
| SHA512 | 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 3dfb82541979a23a9deb5fd4dcfb6b22 |
| SHA1 | 5da1d02b764917b38fdc34f4b41fb9a599105dd9 |
| SHA256 | 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb |
| SHA512 | f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5SvgKso.dll
| MD5 | e654635510b1aa9482796b2e543b6f9f |
| SHA1 | d3e85dc5709ff4013c9904eec579cc268bcc843b |
| SHA256 | 8443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9 |
| SHA512 | 3b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | 5545333769aa479ed5e4f23f40fccd99 |
| SHA1 | c216b59399217290e9f579c1521f0b724d24bf0b |
| SHA256 | a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a |
| SHA512 | e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | 07e26db5ff3902a3f6aa4804d030982d |
| SHA1 | dfcd419b7d1f52d55f679316110e77c66bf2d289 |
| SHA256 | 0d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9 |
| SHA512 | d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4 |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | b6753bec77430c645682c3b705b6cc13 |
| SHA1 | ac523c5a8ba93cdcccb626b359cbb061d45528ec |
| SHA256 | cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f |
| SHA512 | f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | daecfd1742dfdb76c6a5663c8b3577c5 |
| SHA1 | 4857af5fc2c4b780b325682210873748448d9e76 |
| SHA256 | 550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294 |
| SHA512 | 97848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c |
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | c86cfa96b6bc8d403cc27fe4bb901394 |
| SHA1 | c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9 |
| SHA256 | ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1 |
| SHA512 | 19ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 0d26445f495aa8fa75cc04e5a33b02fa |
| SHA1 | b80a07cb5f9917f7c58dc234b7600ce601082fa5 |
| SHA256 | 0a05798b4fab7472645fa34a60cc7410c93e3235417a55fc9275749882e74a16 |
| SHA512 | d6d3526b1e3d02d566e445dd4e78717fbf389b694ce4f8ccfc6c87efeee5db4ba34d059e2eb735e5ab78bf65afadb82a60518282f708b575e17f208276dfbdb0 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 3740e74f736e1312b3d74819cdfac1c1 |
| SHA1 | 751a4c3473f48216a592f8054500684a89e55828 |
| SHA256 | 8b91bf4a8a0d040ceee5be9330e98b414c86efa65ecb2c55f433f07f3aedee22 |
| SHA512 | 7c7f1147a615d3e6b6c2e60a1367b209b56337b597a1f27c4ae8075aadea15b6352db378f10f73dfaa01720edeeaf528509dc6073763072a02db9727caebbe8e |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
| MD5 | c5ad1903526a9ca4c2f55cfea1e22778 |
| SHA1 | 9c7b9ba9100a919cad272fb85ff95c4cde45de9f |
| SHA256 | 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334 |
| SHA512 | e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
| MD5 | b4b4c703bf5c6c0b5e9c57f05012d234 |
| SHA1 | 929aee49e800e88b4b01f4a449fa86715d882e42 |
| SHA256 | 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b |
| SHA512 | 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm
| MD5 | 2b42be10ddde43a0b6c2e461beae293a |
| SHA1 | 53888c4798bc04fdfc5a266587b8dc1c4e0103f3 |
| SHA256 | 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b |
| SHA512 | be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll
| MD5 | 39f7a2e4e5493a25ff8597413372d8d7 |
| SHA1 | 4dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1 |
| SHA256 | 6b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8 |
| SHA512 | 80063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\setup.cfg
| MD5 | 1c1eb59705cc6888811f3019aa3be6dc |
| SHA1 | 561a22bb405b8e77cfa062dcbb8ce2589b23bd46 |
| SHA256 | 82602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc |
| SHA512 | 17ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini
| MD5 | 183330feb3b9701fec096dcbfd8e67e4 |
| SHA1 | 2f43379fefa868319a2baae7998cc62dc2fc201d |
| SHA256 | ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475 |
| SHA512 | 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
| MD5 | 20704171f1c20337f7348ae4dab809bf |
| SHA1 | c0a8e284cab4e843bfd9cea49e221efabc971596 |
| SHA256 | 03d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e |
| SHA512 | 47b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e |
\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5NetworkKso.dll
| MD5 | c2d146a5359002a751ca8ac02a2af3a7 |
| SHA1 | 847b3cb0ba52fe77869800accba3feef4486c2a5 |
| SHA256 | e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae |
| SHA512 | de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a |
\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\api-ms-win-core-synch-l1-2-0.dll
| MD5 | eb6f7af7eed6aa9ab03495b62fd3563f |
| SHA1 | 5a60eebe67ed90f3171970f8339e1404ca1bb311 |
| SHA256 | 148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02 |
| SHA512 | a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875 |
memory/1824-3940-0x0000000037450000-0x0000000037460000-memory.dmp
memory/1824-3942-0x0000000070750000-0x0000000071099000-memory.dmp
memory/1824-3944-0x000000006D500000-0x00000000704F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data
| MD5 | b719be776167213ac6d5bfafb1cb2612 |
| SHA1 | edfe0028b5e1ae4171493b077dc332872d4f83ff |
| SHA256 | e78c7d53f11d2c96244baea939ea77b3761abdbc75912812060ab3e8aa938e44 |
| SHA512 | 56e2a24da00d5d4df5838e9dffb42a7ccb19ec3a4b2ff74858ccdbd7b3d3444907581b5ea426670a4b85b5a229d84441eb7fec023d2eb7ceb366c2f6b387f7bc |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_06_11.log
| MD5 | 93bdabeac873fb56f049f9659336240f |
| SHA1 | 1a55f154a232aad1618c5bfde1a195a91cbde339 |
| SHA256 | 92102d802bb9b64be87e1ac0b68c1310044cbe62ee2bee7c4241ae5f1fce6ada |
| SHA512 | d26d892edcfb9841942b5fb61699de5b0040b764ed73f5bcccdd53b6514069773b87f0bb2eaf536027fc9d5b55e97b6e014a9e5b5eab9e6470a7c9685a04646c |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
| MD5 | 2ce8dfb2a53e622411af4f8078d1535f |
| SHA1 | ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225 |
| SHA256 | 90331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747 |
| SHA512 | d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882 |
memory/2908-4020-0x000000006EAF0000-0x000000006EB00000-memory.dmp
memory/2908-4021-0x000000006EB10000-0x000000006EB20000-memory.dmp
memory/1672-4022-0x0000000037140000-0x0000000037150000-memory.dmp
memory/1672-4023-0x00000000371C0000-0x00000000371D0000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\oem.ini
| MD5 | 223673e5e8d77083765b70ddf7a0f7f6 |
| SHA1 | 3b5c4d6304ed6ada0ec607f44a2aace24ec16126 |
| SHA256 | 9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82 |
| SHA512 | 62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52 |
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk
| MD5 | d32df04f1fcdc8da53d9fdc14b69973b |
| SHA1 | df451f4c5730f9d2f21ab2618491ba376d96ae67 |
| SHA256 | 33450b8e8df01d1d106dbb8928d63147a8f72e68fe6f3767511a3c0c51a89dbd |
| SHA512 | d4cf7270b5f6e065fa06b275b3e4c337ac9e39cbd83e7f6e675187600bcfc501da466ac624225cac4b4eb7a1606a372e768a626b0675d2d35e2f518af28527f1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KST91PQYBPI7MYTON1P5.temp
| MD5 | a6cf09d5cabc878da43ec8dabed4554d |
| SHA1 | 15d296f66e0a10c05168ab3fc6ca4ed33c28c493 |
| SHA256 | e4de3962a4d019bf691fff7cdb4322bb47d430728cc93918ef332cb8afdbe28f |
| SHA512 | 8a274c590b471075b055a5b7fb376d560194a083b8fe04f937320169d1c03a689650321512c0296384c7828d3c5708404d393fb6f57d0c1cb80bd39ac861ab02 |
C:\Users\Admin\AppData\Local\Temp\CabA1EC.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarA1FF.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/780-4450-0x0000000002A90000-0x0000000002BEC000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\plgpack.plgx
| MD5 | 5fc4ddb38cb10ee798c5c8ba890be8bd |
| SHA1 | 738a8d1f6ec8bc690c387d5991cc8cdc7e7f79a7 |
| SHA256 | bd077d51c874220b491058034a3ef9ef147a90399d83cde38ee27cbef68bb0f4 |
| SHA512 | 60036016d454732336e7507c5b6101f7b0b474bf80f8f9099ab38bc8bfc3eebea31794f95ec4e91e55d280bf7236577b4ee248c7da6c98a4c2a532a7f98f5270 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini
| MD5 | 134d92d41c65fcc5562379cc2842f786 |
| SHA1 | f628fa2b086ded3d6bef53e107c5ed4433cdc408 |
| SHA256 | 1c4b37edb30af230503a6632d6e6e23e8ed3cf75fa700d5b0187257a40947dcb |
| SHA512 | a41e90d26e214dc77749791fa76440d05dbcfe153100bd720a9ef06891bf8129d052ca8e2021cb4586c2d06a923fe023f76773b71cacf188df78d6a6ce7942dc |
memory/576-4619-0x000000006F950000-0x00000000704FD000-memory.dmp
memory/2796-4653-0x0000000073BB0000-0x0000000073BD3000-memory.dmp
memory/2796-4652-0x0000000073C50000-0x0000000073D99000-memory.dmp
memory/2796-4651-0x0000000072A10000-0x0000000072E81000-memory.dmp
memory/2796-4650-0x0000000073DA0000-0x0000000073DFE000-memory.dmp
memory/2796-4649-0x0000000073E00000-0x0000000073E03000-memory.dmp
memory/2796-4648-0x0000000073E10000-0x0000000073E15000-memory.dmp
memory/2796-4647-0x0000000073E20000-0x0000000073E23000-memory.dmp
memory/2796-4646-0x0000000073E30000-0x0000000073E33000-memory.dmp
memory/2796-4645-0x0000000073E40000-0x0000000073E43000-memory.dmp
memory/2796-4644-0x0000000073E50000-0x0000000073E53000-memory.dmp
memory/2796-4643-0x0000000073E60000-0x0000000073E64000-memory.dmp
memory/2796-4642-0x0000000073E70000-0x0000000073E74000-memory.dmp
memory/2796-4641-0x0000000073E80000-0x0000000073E84000-memory.dmp
memory/2796-4640-0x0000000073E90000-0x0000000073E93000-memory.dmp
memory/2796-4639-0x0000000073EA0000-0x0000000073EA4000-memory.dmp
memory/2796-4638-0x0000000074700000-0x0000000074714000-memory.dmp
memory/2796-4637-0x0000000073EB0000-0x0000000073F1F000-memory.dmp
memory/2796-4636-0x0000000072E90000-0x0000000073393000-memory.dmp
memory/2796-4635-0x00000000733A0000-0x00000000738F7000-memory.dmp
memory/2796-4634-0x0000000073F20000-0x0000000073FA1000-memory.dmp
memory/2796-4633-0x0000000073FB0000-0x000000007429A000-memory.dmp
memory/2796-4632-0x0000000074760000-0x0000000074763000-memory.dmp
memory/2796-4631-0x0000000074770000-0x0000000074773000-memory.dmp
memory/2796-4630-0x0000000074780000-0x0000000074783000-memory.dmp
memory/2796-4629-0x0000000074790000-0x0000000074793000-memory.dmp
memory/2796-4628-0x00000000747A0000-0x00000000747A3000-memory.dmp
memory/2796-4627-0x00000000742A0000-0x00000000743BF000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Local Storage\leveldb\CURRENT~RFf76b471.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\res\static\js\manifest.js
| MD5 | af5a4ff62384fe67791d8cde9176ac0d |
| SHA1 | cf5aa9528fe795b75a569352466ad944652185c8 |
| SHA256 | 5d1122539ce1ae98804e216cbfcada9f2603fe4f86454b2b29e7d7448da97891 |
| SHA512 | f78a72b7ba06b257fec3a97bb62d20f7562212e995d62438bfe3d8181fe7f56c3e14194e9203e64b0e259a7cbdd900125f5f185bc8d736c881f8ca0e2920273d |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\download.7z
| MD5 | f9ff8d5420b4e94b56438939a0e5dd44 |
| SHA1 | 200ed59ff1a7c7c031f40ca11fddfff1591a2b44 |
| SHA256 | b693e86dc4cc14fbc3dd769fc6f74d312c05bf927dd1bf5ae338c419f853b853 |
| SHA512 | dcd3bca7f2a550e13ca43f0f9af59a12b5f7f10c9762802c97c7ef308353ddb23e2b87d42d306f967beb6684f4da727a1b3785466cf2c1ee73dcd4aa8e09f3e9 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.123\download.7z
| MD5 | 74432b07c0d487222b7e2cbf41f64cf6 |
| SHA1 | f8848146f77d934e0fdc5357ae7e250f317477af |
| SHA256 | 2900cd45164c200a4d9dd39f77bec89926564a87f6228fc3fee1a6058728e3f2 |
| SHA512 | 17cd2d8ff90f3b8dd251099cde43ceb8bb342484295a52d3f587ffad462c4fd9f6418b35452ac7075bf421fce380c75b0aea164319b7bb2db20146c3efa76f72 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\res\index.html
| MD5 | 66bbeb8733bee0c788685880cc46acc5 |
| SHA1 | 07d104aa23fd4ad765095ea771667e1440ac6bca |
| SHA256 | faf96f1472b09c6eed78da690151b5b57133733e2f562dc6678602746a79342b |
| SHA512 | 2d919a92b2c425d0f08d609fd825de151c5ce54cd31d83405054fa84194c85568ba512af4f1b38136c12152764ae0ae34441f36b4f23ed5ae74438502b0d1558 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.123\run.ini
| MD5 | da4b75c3d70c08be415e7b25abdc11cf |
| SHA1 | c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225 |
| SHA256 | e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36 |
| SHA512 | 0fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\KWPSUpdateMindBubble\plugin.plg
| MD5 | 7ac31d26b13c6f217ba8a3b10ef3dd8d |
| SHA1 | 457193d0fff37ad6c0ae6acbd4cd71acba253fea |
| SHA256 | 9835b153474bc9aaaafbd3036a03810bbb8f21406ac8aa70e0c0b59484d5e202 |
| SHA512 | d0892d26e2f18ba2d57c73ebc5de9a749c1bde385993faa6b31e45b565da44ce96f665263d2b4a68d76cda596d4e7a0c0c194535d2d8d37aa7c082394b72a303 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kuserinfomenu_1.1.2024.1\mui\default\icons_svg.data
| MD5 | 15801a93c46565187d560863a0061791 |
| SHA1 | 515475c176bf8d4ea28721ad8a41a63730f64617 |
| SHA256 | eb89917938b1c7f84eab66320d4424793a2eca6cce0e30ed994b7c2891bc0d48 |
| SHA512 | ae5ebbf60fe06f11f0f2afc3e8c6640bf73a444c60bb9181366fe4ed80dc776c50838e6e9c56fd11fd04e166237ce742b4d6e5efcf8646bc50ea2501005c14dd |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\krpt_1.0.0.107\download.7z
| MD5 | 0edafbd62638a75ae8b4debc9fd0b3db |
| SHA1 | 814e953384ee2771bfcde0584b0f6f5691217ede |
| SHA256 | 3332953a07daf624094590bc8d2bf9d4ff1ec12c53a43a7310efa11c7cfb71e8 |
| SHA512 | ab42c6b7922f7137779417bdb5246ff660133f8d566a54fd067ecf787d27ffaee1d65704a4b9574a6fffede9b497b93638f558ff2689d375017d5b074ec88120 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photoforceasso_xa_1.0.0.1\download.7z
| MD5 | 890018bbb3ab5d25a6c1737e7f128bab |
| SHA1 | 50f258af178afdc80bfd32b4d5ceea74eb3fb312 |
| SHA256 | 5f2b53d5348ee9d43f2f4eeb15443af7b236f27fd699453685c32fe98ad79e7a |
| SHA512 | cecebba4846a8bff6bfee6a0ad89361e3d39f8f2775b68dee22a0a96c1a0ee3792ce0749295a38ae6d004a60dc8a9894b935d520a651fa192a30781c8543556b |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kuserinfomenu_1.1.2024.1\download.7z
| MD5 | 047838d673c348c89a467b4c0fa4cbd0 |
| SHA1 | d93a46e534422f62fec109c4098902991eb08276 |
| SHA256 | a5c428cace8a68799441b01ed3ab62e528c0a1b01862c533b2d1770824dd6129 |
| SHA512 | 0e8c010162bd5f204824df5d9c0900199585db5a777915d36ac4fad4871210d798167ea87b2818990807ef0986c940b258643fb6cab260394497135aa402a170 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photoforceasso_xa_1.0.0.1\run.ini
| MD5 | 82cb83edcdc6d19d3e10dd42ede04a54 |
| SHA1 | 3a9dd33485800ad156f7fba8c637ee59e4ba2d4d |
| SHA256 | a11a80d525c8dbadbbfa8bdcee6dc6b5d84a947d44cf0ef2ba1ed1c9b51cf392 |
| SHA512 | eea882b5030d21a6c88d53afcebfc399a4523062b3d6c99aed9f7eafaff1483f0eece912f75fb11c30f48af645bfe157afd33ec8047249d3f79c39dee057d599 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\photoforceasso_xa_1.0.0.1.ini
| MD5 | 508370f78327c666be4501d073812950 |
| SHA1 | 874374d638d491266da8a4b5ef905002c28c2f38 |
| SHA256 | aec368c859cab36a2ca31d36941af40e15a26a8f85eee679be85f45625e91da1 |
| SHA512 | c905ad292f7c695c0260f3310e27913c555bf3763e864bc2e1f90829a748c1cf7fcb53aca2314607383cf321782827674d2715b784821334d637b57d5383a084 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\res\popupVideo\img\icon-close.svg
| MD5 | 638afc2355d020561133690e6ef849bd |
| SHA1 | 1014cd4cc2b7647ef82044dbacaf0d6926aace7b |
| SHA256 | 3b315efb51c084c848ee511dc462eca1b28a6b1c149aa4befe3b98d26281db4b |
| SHA512 | dfd817879a8e772b485d73881114a9e9bcccf29884d0f941bac614667faa4c6c38a971e4d0bb94a7390c6afb069b5bac4a20f67d347f90b5ecbf63a85ffd742b |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\download.7z
| MD5 | 7be45b4650a019a60c8eae76b6e1f0b8 |
| SHA1 | ddb17c729a0b515b7fbf8bfbee887746dcdfbc3b |
| SHA256 | 988a9b41dba2fe2d576416c2ac9fa8c72ed9a1f541bfec4d126a209274dd812c |
| SHA512 | 3551447079c21d0934828ebb769d0b4326e5d6c6552885c9824080862d09c48324210b63e25bc1041dddf8ba32528031c97e8d37bc44d78b6bf2fa7183d66905 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\res\popupVideo\img\icon-close-hover.svg
| MD5 | 2ba5639af3d54e842950dd70111494f8 |
| SHA1 | f893ff8e9ea8e7df7512ca51640b3535b8d36603 |
| SHA256 | 34bde4a261024c7f1765684836ca58df2928d35069b9e35913a79274b22f60e6 |
| SHA512 | e026d283adcd1c8f5c7a6d4e68b17754ecce0374e4fc1317ead694a078ec2268d9cdc8924fb8d2b36ce60835399598e508874e552ff74e9fa5d90fa65ddee013 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\mui\es_MX\kdiagnostictool.qm
| MD5 | 5afc7d8ba894df59c2b3f44726cfc2db |
| SHA1 | a21a7a8fd943455fa47cc5d950603bf1bc5a145a |
| SHA256 | 4824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be |
| SHA512 | a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\mui\fr_FR\kdiagnostictool.qm
| MD5 | 62f3720e184f094c874fe0eab7f0f598 |
| SHA1 | cdd858a80bbd1268e7c5278ebe19c35659871d2b |
| SHA256 | bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14 |
| SHA512 | 14f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\download.7z
| MD5 | fd1d8a9edeeb153f9e53d1e2522e3d70 |
| SHA1 | 53807b925cfc9ad101005983cbcb98e14163353f |
| SHA256 | d8ae5a02687c2936552f691858150bf3286236bf31a6014e6655e576c55c234a |
| SHA512 | 4e50a7f2b9030e607a3658942de482129a2a4cc8d965d70a46b7fefd7bbe379368846bde4c99e131035069e3f9bb86386a1797214885678354a38d13d599fcd4 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsinco_xa_ksolite_1.0.2024.3\download.7z
| MD5 | 7b979dd63724d952a1422473776c4757 |
| SHA1 | c8b2b477d6f52ce01ebf87d1c00cd1886b3577b0 |
| SHA256 | 6b32a77b31621df79ae220ed6bf24558319c438230af2cf21292fdfbcb69f1e2 |
| SHA512 | 345eaa9f8d801670d517de34baf24114807dd5f92189744512561370627fc48468fef0e0b9718ae249715b97a8cd304bc619f97ee35adc3177c363195e6d69bc |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsinco_xa_ksolite_1.0.2024.3\run.ini
| MD5 | 235c61a9b48849f011b96ad861d1606c |
| SHA1 | 5ca11e0f37f20499be6583d85cbbdb91419aaa89 |
| SHA256 | 7b304b743ca6598f385a05c8c39408ae2cd406d2190e49eaf28989059dec4492 |
| SHA512 | ca75e4170f0c9842cceac6c6f69bae606ef57cb246765272d4da763cbb6d1d37dbff775a45cf592064f004d60eeee507ac04549ba91d2073113c803aa081a7c5 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2023.32\download.7z
| MD5 | 6e2fc2eede73e3efa5fff9333ff40c9d |
| SHA1 | 00cc9b3c84780d65e4aa4edbb19303974e9a200d |
| SHA256 | 845b89c37d4cd41b04623b5e8804d69aef323b18b1d2dcc860777e776c048012 |
| SHA512 | d5c1e13d93b12ac0eed567dc0063cf83e68b9d3edd03756f0b4380521f9e974a31878c0213e81bfa38510c6016a7b71edc16bbb06bbc5ff89acbba9d8ac1d54e |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2023.32\run.ini
| MD5 | ad3a68e7d8c8bf2470282567d8ca7ded |
| SHA1 | addb5ab04165b4743ffb985918c08ba0a76a6eae |
| SHA256 | 27e743bc78f9a2862d822fc171789160905ee26545466f93052f8565aebd523f |
| SHA512 | c8e4b63fb79c365cb48a0ee0c4351f6f94da9ba8ce62f0b14d8ed45726ebaa478f581efb37e254e75e1c561f5ffa1d8985e867957c68c04b8eaaa2945e838505 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Local Storage\leveldb\000002.dbtmp
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\chromeguide\plugin.plg
| MD5 | 85920fc5aae6425b2c5eb46507500e1e |
| SHA1 | 43b85ac7a1e0b4ab83313b5df0997a6595bbbe12 |
| SHA256 | 18f743d7cd9582bb7d37a2e1fef73e6c2192c8c4119feebeed6f9590496590a3 |
| SHA512 | 2c865624618a16c2de85ba93b05a41ca3638fc04b867962ef7b1550f43c6d732dc4b3da84764f9b8584bb5dd645faf286c4e2aacb2e54c9acc22489570deb465 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\et\plugin.plg
| MD5 | b330323d4f3e9c5f65d4090068fad2f2 |
| SHA1 | 3cff5b78ea82f6e628809523ab3ef8adb737f097 |
| SHA256 | a42b0f39532aa7ee9dd68d92a60177bc75e13e44f051b36bc24f0ed4dcc30eb3 |
| SHA512 | a47f5e0a8ca11d78a7edf8ef7d26e4ec2129c1d055f33a933d99fbf1cb287e06e9aa208e74b5b09ee210332fdaa44df17ea432baa3630af19f9bc16466abff6d |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\kappframework\plugin.plg
| MD5 | c480aa9ecbeca164f2c4b65703735f88 |
| SHA1 | bad457b7be00fe8c88321e6dcc14b4e914164ecc |
| SHA256 | 407b17b8ebbc8ebf024c4a0c89c7975ee52c02c4fd4be90a07f9129ae7651cf6 |
| SHA512 | f6f9ad841c5e6541511106ab7c5224b1bc2e4655ab853c7b43af91f6fd8caa009fca424cb65c72210fee3a26f478d89401fb4024a1fd5d27bdc7112106615b69 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\pdf\plugin.plg
| MD5 | 368d5dc1b407ffa7eb2d490d048de943 |
| SHA1 | 2cb8d6b77fecfd621391f9378e2210f3d60190f0 |
| SHA256 | 16c0708490c449ff61dfa3284313554ce44ef6b96a325f4818bd1e0bcdca04f9 |
| SHA512 | 7bf235117d9b6fd04ef72fb3763bcff44755896785dad7dd432142fb9b5b2a736cfdda20d10c22a1140aeca0392e058ffd666d412e4ad6fc426d7445c8bfc783 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\pdf2word\plugin.plg
| MD5 | 6a13e38dc5123fd5fe9c4e971e3fe7dc |
| SHA1 | 21ab4a505400a46a11366e27ef7bb538e04c61d2 |
| SHA256 | 20f46b032a3f1e85daf1ad3819fe705fc386e5e975e53627a15f4ca1119a9c76 |
| SHA512 | ea89b0fa5a23d0f9d070dd5838aaf77bd100b1c9cec3c73e81146297ab5b4fd08ac9d9adc084f8bc1135f65e5d678942cab54a4860e6dc9ae11d3409a33f7ee5 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\photo\plugin.plg
| MD5 | 64e11ec8259d13542ff86c5fee3b6ff5 |
| SHA1 | 3c3f098e58e83b4ffea387ea030b2862340477fe |
| SHA256 | 424ab36ab8117d38888f5bbdde9610e5dd29c35022893ed2b85acfd7b080158b |
| SHA512 | 6677e9e464d6559c65b8377eba5d1570c721193d7bbf681392c5f037e64984cea3d7fdfdff6f215643b34bb4a92771c000e01c1dca704b30fe7ee20177e1325b |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\qing\plugin.plg
| MD5 | 5509ef75346a8ba1459a3a699304817f |
| SHA1 | 377f771755f0be245963cace9ebd4f01f1b60150 |
| SHA256 | b1b204e307ea2d74b95d5a07c1c3180c8d15892e8438b8538d487ebafeae4be9 |
| SHA512 | 14d064f685323f984641d50dc7eb1ebf82596435c3745051104b61717d897cc3a06e387daa6ea5d3d160a468a750dd08969bdf27f987d73483222b189b8aaf55 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wpp\plugin.plg
| MD5 | 5d0bad20a3e197f645bdc6383d3e1b01 |
| SHA1 | 906d76437fc9b452dafdf868057d42944e4d9a5f |
| SHA256 | a3128523eeebb539908d1361fbf7f2a646d3e9c61dd1bd7093a585d5bf197c88 |
| SHA512 | 2002ff6652e9713f8ad5e053b7973dee0f4587c2898590da4c75a030fd2f064078fe34f3fc28908054fd25cd6b786d6cff1ebcc4e57be60ae9901404e6b782b7 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wpsoffice\plugin.plg
| MD5 | 404286e0cc214be383c8c544b8ca52ad |
| SHA1 | a6a4f39540d75d7f135910cd55c39833d4dea20f |
| SHA256 | d1d4f345462dc6fc9c8c9c25ddb179f22c6458144564c77b1f86f26f98bcb639 |
| SHA512 | ff3d3c80b761ef90e215938cdf8f29d9d412766f926cc5104bf67af050ff777ee6ca8ad2ee3c1d65afa03e86ff655f6d0935d59ed565350f99a69392f3a97d71 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wpsbox\plugin.plg
| MD5 | 4b7fc1e905714c7f4f5aeafd9dbad7d4 |
| SHA1 | fe47d5355b9c8c41dc4918ed73cb1590418dae8a |
| SHA256 | d671281d56b664c5e981a446cc9552eed28fa3031ab3f294415a0bf3808bf7db |
| SHA512 | c6d19c02649406d3816caf67344c69f23fd319140e82de4822a377e377cdf1b5b37e261b69e7dd271dd46e4fafe14fef379b02df2369251f5223c7278b77a3f0 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\wps\plugin.plg
| MD5 | 4ea68dd71ec5efec0b9c6631117bcb00 |
| SHA1 | ff9743032cb0ae2b2ee3d8d93eb035ca6bda3250 |
| SHA256 | 6446d6e1b64fc7fbfd234d53f645cd04fbf662408065745070d97a7f018accdc |
| SHA512 | 28ed1b6dc1de0fe03839d01c143f344f6c226e766a27f7c4df781a35dd0fd9289c941b1621cca570a0eda1547cf00d111ccdc27e8086950f8e45d78821fba634 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.180\download.7z
| MD5 | 63c4fc2706885905af8ecb9e8d6e7587 |
| SHA1 | d87bc3aca0ed2f995cbe5420f9d604279c85b4df |
| SHA256 | 67014918d74295a7eca03d3edd4d7d35c14271bd731ca50744649ff8a91785df |
| SHA512 | a114cba2736da1c6da68a246076b0f00c6d2596de2f596a97136054efe811e7445e66c38b4a940fd5aa2b7e23d4c8f708516821c51907c1d75e9612c872f9f78 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsbox_1.1.2020.195\download.7z
| MD5 | 41bee6b98088768aebf4fa633def79fa |
| SHA1 | 384df283531623cd111f0b524105b85e27903976 |
| SHA256 | daee2b78f4e2960a35a6e4de3ffa0dca8068725d0f1b18f6d48a5b06c8e71003 |
| SHA512 | 6d0c3cb900b00ccb48546fed9e4f633f05f5c61be55ef3f8fc8d3761acfc3d3d2728ee7fc96e5c68ec4a2ffb2531eafa9b5c48701de7feb9f404d1a6c73dc824 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Session Storage\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCE3E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fca8df9eb4b97ab02cfd86e21425529d |
| SHA1 | e93d458733d9f1c08674a88ed8090ab3bdfd3765 |
| SHA256 | 96da214544b9aa30b3550ddd869c54932abc0f8f7c89a3ab8a23d8d3a5c224db |
| SHA512 | 156544287b7f02fb7e9082589179b0c8bf86de6fce189c33597e0b503378b272b7be8ebc2a77a71bc62271bd6394285101eb8a52adb60abe318cc372046236cf |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kapplist_1.1.2024.2\download.7z
| MD5 | e0fc385e5bc52f99af3f7703dbfe0406 |
| SHA1 | 75ab2b73effe5290f0d58504080cccd3185306b5 |
| SHA256 | 64302243aae430bdc73fdb272c2858bf2d59615e3a6fbb787cc61d406693c882 |
| SHA512 | 494d07ba5339df67364f74bb647dd3983ee17cac4971ea60035cd80c6e5f401b929fa6615c465ae74764d6c4d777388ddbfb1dc10cf00749ba7ee695e2b0ca3e |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.8\download.7z
| MD5 | 1765efbf2935f90b026320f5a33bedd4 |
| SHA1 | c2acad71c969dd84121d38037a28b24fdb03afb7 |
| SHA256 | 039acdcbf2758949a2ff728cba011ba4310303fa636ae9789b2c193ae7dbb697 |
| SHA512 | 9bc6e294a159a0ed82901d6b1702171d4ffd1c0a344ffdbb7d80d9a7fa111daed886d5e0f459830cb0d8602a4299fec5fbf55fb4655fe32ae9e3331cdee14ad3 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidegopremium_xa_1.1.2024.2\download.7z
| MD5 | 69f0121871c4fd001f9bf2c22c8f1852 |
| SHA1 | b2155944f37f6ee42ae3b693355a9a1f93972009 |
| SHA256 | f7e8bc519704a27bfdab7da117f85392c41b3300e5349c107b397405ce77f0fc |
| SHA512 | e495d74d8c6b4989dd3de5fd3d27e8f3f3af608ccec593b68fcc67f21f7879e211171c91d7e22a0fbfdb5bec80906c4c9ff1f21c8c8a71565ee9f23f521ea788 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\premiumcode\element-icons.ttf
| MD5 | 732389ded34cb9c52dd88271f1345af9 |
| SHA1 | 8058fc55ef8432832d0b3033680c73702562de0f |
| SHA256 | a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2 |
| SHA512 | e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\premiumcode\element-icons.woff
| MD5 | 535877f50039c0cb49a6196a5b7517cd |
| SHA1 | 0000c4e27d38f9f8bbe4e58b5ce2477e589507a7 |
| SHA256 | ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17 |
| SHA512 | da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\vippayment\assist\base64.js
| MD5 | 12477cb6bc99f90086f05e54ea7dcbe8 |
| SHA1 | 4009eefda873514a6579830888d5f12c50d7b3de |
| SHA256 | 6520eca957e8a4d7e68e0dfe17f1cea9d42c6378962f454e7a911ff32e5e6248 |
| SHA512 | a7a16f935d71f60bb382622ff781a3cef234865efbaef62ee268163a416bdd9ea285f33c843fb729cf8b8eb6d18a81de5311b01d19b48c998b08d79f29e59d13 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\download.7z
| MD5 | 456952a0266ebde5f96cd1de8e284e9e |
| SHA1 | 124d715a75496937de3761b548ea944b07ea2653 |
| SHA256 | c2bf7eb754a1eb45fcbd1a1ff8aa7b022e2eb386ee6531a8729fa0e5b332ab70 |
| SHA512 | 6c04f5fd49d76fc7c86d188a9b664a26ea61f43b39be6d3278c1dd41d3ae58b10240a574aa0a06ec125820df11d71c3107e020ca5017038b4fed31918627f0ea |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photo_1.1.2024.9\download.7z
| MD5 | 52fa9ee47c6ce4d0daf599d851515659 |
| SHA1 | f2d5bbbd452e58b999ddc13122dcb740f42c4519 |
| SHA256 | f80174e11b2ce95c8325bdad9c8d69ada0835d04c6abae0a6a742566af0c5dc3 |
| SHA512 | f794ead891c33dfbe072f122cb72a3cf968da4f426699937d3890d4997c01bed632b9ad7ca24561a4ed777a011eac9181b71ccaa0a8e5080b561258fa90f8954 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Network\Network Persistent State
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_06_11.log
| MD5 | 7bc295e55a66413e246a056fcb0e3b4c |
| SHA1 | 85a6cab2cf05193f7cdb8bc77f33f435e0473c85 |
| SHA256 | cc78b6b5f4e8438e0175e3f5a20279aab3efdd6befd2917e4515a59db7cf3a9b |
| SHA512 | 65cb35feb9fbe429a281c1184108d4ad05aefa25252c821d79da7fce4ab803ada964f2055035a69be85aade852432e492eedc5014f2b793937d4ef9d87317899 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 12:17
Reported
2024-06-11 12:35
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
158s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" | C:\Windows\system32\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\refedit.dll" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\ | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wpp /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wpp.exe /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /Automation" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\kwpsmenushellext64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\ = "Player" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{0002095F-0000-0000-C000-000000000046}\ = "Panes" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209D1-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{C1A870A0-850E-4D38-98A7-741CB8C3BCA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{44720440-94BF-4940-926D-4F38FECF2A48}\3.0\HELPDIR | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0317-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020881-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00020928-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020988-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{CAE36175-3818-4C60-BCBF-0645D51EB33B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209A5-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "PlotArea" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{9149346E-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000244D4-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209ED-0000-0000-C000-000000000046}\ = "SmartTag" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{FA02A26B-6550-45C5-B6F0-80E757CD3482}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{D8252C5E-EB9F-4D74-AA72-C178B128FAC4}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002446F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208CF-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Excel.Application | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209C6-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020958-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{7759D313-9C91-46E3-BF38-3B6E68E0B1C9} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000244E0-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208A3-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{6D3837A4-F05E-409F-9A65-0D22505A49C3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{BE39F3D4-1B13-11D0-887F-00A0C90F2744}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInDesigner\ = "Addin Class" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020961-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209A1-0000-0000-C000-000000000046}\ = "_LetterContent" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00024439-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002092B-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{766FBB6D-7576-4C00-8CE7-C548751812B3}\TypeLib\ = "{D626EB73-B7C0-45EF-922D-0CDDAEDE12FA}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\VersionIndependentProgID\ = "MSAddnDr.AddInInstance" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0316-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C03CC-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002093C-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024432-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000CD100-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020942-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{C75AD98A-74E9-49FE-8BF1-544839CC08A5}\ = "ChartArea" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020926-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{30225CFC-5A71-4FE6-B527-90A52C54AE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{4A304B59-31FF-42DD-B436-7FC9C5DB7559}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244D2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208AE-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WPS.RTF.6\DefaultIcon | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00020972-0000-0000-C000-000000000046}\ = "LineNumbering" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{07B7CC7E-E66C-11D3-9454-00105AA31A08} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000208C2-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244AD-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244AE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024488-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe" -downpower -msgwndname=wpssetup_message_E581F5A -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E599522 -forceperusermode
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E59F8DD
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 5
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3732 /prv
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| US | 8.8.8.8:53 | params.wps.com | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| US | 8.8.8.8:53 | abtest-api.wps.com | udp |
| US | 8.8.8.8:53 | movip.wps.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\pl_PL\style.xml
| MD5 | 034f37e6536c1430d55f64168b7e9f05 |
| SHA1 | dd08c0ef0d086dfbe59797990a74dab14fc850e2 |
| SHA256 | 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384 |
| SHA512 | 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 2526c946e9972c8e6ff274e8ccc0ac23 |
| SHA1 | d5615abfc489a34b9349d0d5146fee740b0548d6 |
| SHA256 | 591cf4a6833cf16b24a441f439600804f5e2192f7985d92bbdf7dc66957b7c5c |
| SHA512 | 8dc93feeeafe0f97a2e6b46086641bf8e59b51a77b827143247c9b6fcaf7b0782ca7c73ab478b5e7478a82c39bf683f5720d6ac6aabb3ee5cdadf8f24bbaf42b |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | fd4d0094156b509e2c262432683c58e6 |
| SHA1 | 3a1a2cc2e919055827503971b9788f70a8aba3fd |
| SHA256 | bd03b5cd2a15cec78ee6ec93e1d77e6b5e0fd7dddfd1af24aee14e6114336c40 |
| SHA512 | eb5d8d061387f6375080a497482a90807a25f27a31495d19c82760be8d5b3afb9e875e76872d1b2ba02936dc7f56bd610707eb6899a0e95d2a529ad28c76181f |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\product.dat
| MD5 | 275e4919bf12383eeaae2e35f1aedca2 |
| SHA1 | d63a89631852f77f4de039ee5ffd8b46b10e044c |
| SHA256 | d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072 |
| SHA512 | b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 6a5eea749583001de63b993fc66496ba |
| SHA1 | fd41691ec4751e85be89917d46454f8533800b4e |
| SHA256 | bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60 |
| SHA512 | 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 5e1b68b67986b1588301c0135f19fc7c |
| SHA1 | 957ea47285f7d903cce7530ee34852435de5b5b4 |
| SHA256 | 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc |
| SHA512 | 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 4e564b66f5d80f10a9f3b214d9910e51 |
| SHA1 | b695971b2975e2a5456a1508f305eb4c675bd508 |
| SHA256 | 0c5ebb0c7b662c4837dd80f93dccf173d4bda54cfbc896e9a80bdcda8bb15f63 |
| SHA512 | b3b5488d372efe41e76b9e20425494439f9fef79bda3185f5e3ed31fba2886b40c86773c97fbdc61a0625b30e0d55071c42b3a0cab92e309a1550e00d0186242 |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\kpacketui.dll
| MD5 | 24c1c69547498300c8a9fef3d49d1f5b |
| SHA1 | 54adfe188efa56fc52438513692c1306f2f23e52 |
| SHA256 | c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8 |
| SHA512 | 7693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | 5545333769aa479ed5e4f23f40fccd99 |
| SHA1 | c216b59399217290e9f579c1521f0b724d24bf0b |
| SHA256 | a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a |
| SHA512 | e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5CoreKso.dll
| MD5 | 677bc25f723c163aeb9408490bb6b782 |
| SHA1 | 98f6ca86cd39c974083e4db1b0e193260cf46830 |
| SHA256 | 87602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb |
| SHA512 | eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | 07e26db5ff3902a3f6aa4804d030982d |
| SHA1 | dfcd419b7d1f52d55f679316110e77c66bf2d289 |
| SHA256 | 0d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9 |
| SHA512 | d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4 |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | b6753bec77430c645682c3b705b6cc13 |
| SHA1 | ac523c5a8ba93cdcccb626b359cbb061d45528ec |
| SHA256 | cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f |
| SHA512 | f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | c86cfa96b6bc8d403cc27fe4bb901394 |
| SHA1 | c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9 |
| SHA256 | ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1 |
| SHA512 | 19ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | daecfd1742dfdb76c6a5663c8b3577c5 |
| SHA1 | 4857af5fc2c4b780b325682210873748448d9e76 |
| SHA256 | 550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294 |
| SHA512 | 97848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\vcruntime140.dll
| MD5 | e51018e4985943c51ff91471f8906504 |
| SHA1 | 5899aaccdb692dbdffdaa35436c47d17c130cfd0 |
| SHA256 | ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d |
| SHA512 | 2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74 |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\msvcp140.dll
| MD5 | 5fd0772c30a923159055e87395f96d86 |
| SHA1 | 4a20f687c84eb327e3cb7a4a60fe597666607cf3 |
| SHA256 | 02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d |
| SHA512 | 132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5GuiKso.dll
| MD5 | 0849984cff99db55aba5d085efba5d0e |
| SHA1 | 802cdd8163ba992b206c0331b4fb4644bd7ff562 |
| SHA256 | e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875 |
| SHA512 | cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50 |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 523c6a8629b886557c7fe84bbc1786a5 |
| SHA1 | 0dc9d1fde374d9d5f36f78301d2ceed757ab442e |
| SHA256 | 1f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854 |
| SHA512 | bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082 |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5SvgKso.dll
| MD5 | e654635510b1aa9482796b2e543b6f9f |
| SHA1 | d3e85dc5709ff4013c9904eec579cc268bcc843b |
| SHA256 | 8443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9 |
| SHA512 | 3b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | acefde25e6466512a9b74f3977cd7a85 |
| SHA1 | 514e11525e2db7ed1e696aeff899dfc0b09e7ded |
| SHA256 | 46cfef693f457047ec3ef407b0b4dce36a71a13af67a7eeb9963518926d6433d |
| SHA512 | dd46c10f34e7fff2643c5d0e7a10fdac200038339815fd5b54887037ba7ac2ec31435f17a2903e610ae741675d80d9cdf851bc7a94c97119c8de212f57817c72 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 753cf983e32fb977ed61377d3dda0d72 |
| SHA1 | bed93f092da03dc86bf9071ff238df8551c556a2 |
| SHA256 | ed6bab0aa9432787be9260382f5702e7ee2f020dd9fe201d075826fbe3ebf37e |
| SHA512 | 4bd88ae89aa9a96e5cedb7d59a99a149b889a0ae5f3f69031042b7c6a03ef7cfee07b21c702da5de9aa3f9b0e1c16287567602a3c4adf9608472bfd6521f69e5 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
| MD5 | c5ad1903526a9ca4c2f55cfea1e22778 |
| SHA1 | 9c7b9ba9100a919cad272fb85ff95c4cde45de9f |
| SHA256 | 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334 |
| SHA512 | e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
| MD5 | b4b4c703bf5c6c0b5e9c57f05012d234 |
| SHA1 | 929aee49e800e88b4b01f4a449fa86715d882e42 |
| SHA256 | 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b |
| SHA512 | 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm
| MD5 | 2b42be10ddde43a0b6c2e461beae293a |
| SHA1 | 53888c4798bc04fdfc5a266587b8dc1c4e0103f3 |
| SHA256 | 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b |
| SHA512 | be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778 |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
| MD5 | 12f25aa0d20ffb93e3090157102e08bf |
| SHA1 | 5a6144e0b6fce079a83becb5c1f81a0f719a5e99 |
| SHA256 | e5f45a8bd92387d17668e5d792604818de865b0113366006658ca4a64d1c87f0 |
| SHA512 | 884de26e86eccee05b7c7a56f2848f18e6cef783b80d704c89189cb8fff6e4edd258b64d3ed69db9ae40e2c1131b0a251af741d86fed58b8ecf10a9401762ac9 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll
| MD5 | 39f7a2e4e5493a25ff8597413372d8d7 |
| SHA1 | 4dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1 |
| SHA256 | 6b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8 |
| SHA512 | 80063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a |
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\dbghelp.dll
| MD5 | dcd7b4b0bd0fc4c5f243c1a95cdc040d |
| SHA1 | 573a66056afd4c069d3a9e62bf3b68c7d7e4fcbf |
| SHA256 | 9e6ed09af796b01f6ac2bcfa210be10558effe750ad41b8ca852bf8de2a25ea7 |
| SHA512 | ff336d34dd5146bfe624de62c59cc77eae39489d5fd1a79a1f42bbe4787549c13613463d56a8433a9dcf2d991aa078e20ced695a960d3f056137e845f15b7849 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\setup.cfg
| MD5 | 1c1eb59705cc6888811f3019aa3be6dc |
| SHA1 | 561a22bb405b8e77cfa062dcbb8ce2589b23bd46 |
| SHA256 | 82602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc |
| SHA512 | 17ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini
| MD5 | 183330feb3b9701fec096dcbfd8e67e4 |
| SHA1 | 2f43379fefa868319a2baae7998cc62dc2fc201d |
| SHA256 | ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475 |
| SHA512 | 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
| MD5 | 20704171f1c20337f7348ae4dab809bf |
| SHA1 | c0a8e284cab4e843bfd9cea49e221efabc971596 |
| SHA256 | 03d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e |
| SHA512 | 47b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5NetworkKso.dll
| MD5 | c2d146a5359002a751ca8ac02a2af3a7 |
| SHA1 | 847b3cb0ba52fe77869800accba3feef4486c2a5 |
| SHA256 | e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae |
| SHA512 | de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a |
memory/2448-3977-0x0000000037A40000-0x0000000037A50000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kbase.dll
| MD5 | 575b0151a48a719119888cef4f7fca12 |
| SHA1 | f39c1765f8edf0105722e1443c24de32e25d9de0 |
| SHA256 | a789830df17282311db67dae1130e95988b78b1942667b5b13f2ef9e96c0ac2b |
| SHA512 | 9831cdfcad069880ba6a772c078d2285bd9a44be80a8ad91df2d01120fededd0526c7ad5a74b78a7cd731b3e54df16ee4f1eaeecb3cde07a1c944aae98920a07 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kconfigcentersdk\kconfigcentersdk.dll
| MD5 | a889bca455720ef0dfa30338d1a37018 |
| SHA1 | c49bdfdd1ce19178cb1aa83efb9f92975b1a9d25 |
| SHA256 | 3f4e26bc93d7fc1cc54100c319a2b9d8fb83088872769b78e814980fb6f1e005 |
| SHA512 | 9b5c8fe20debb59833f06edac5e984d53fa74f9999ffeb92b0c0f9350d3e13286e680a561bc139e5cca97e5e52a71a0f7e18cef38ba190055b186284260b20a7 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kmodule\kmodule.dll
| MD5 | 502c4322fc360fd8cc90f59ac863c1a3 |
| SHA1 | 609a71a48653b68576a539a3c44ec29f50b589a2 |
| SHA256 | 0f40c5c4d1566d7f71b122c172d4906e98190fcfc88f31c9fbebd3b4d53d6058 |
| SHA512 | 49872e6efdd63ce7ad42232dc576ac3500dc3d2f2cace4aedfaf2ab9f2af78b80defa424586dd85122b8d88bd898c3f2f72bcb0bf6ee12f611698f4f4029b2f3 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolog.dll
| MD5 | bb63628c0cc81ff45adb3214342e066e |
| SHA1 | 5bb812cad46effac16d0def3eb7014a1f6d3a8b6 |
| SHA256 | e796227cb887b8b29d0530817ece2290f42ea491b11561ecdb2ad705e43f67c2 |
| SHA512 | a090823be81e4d300fea093be7680b12a9970890de64f27af83375bdf5e869c2d10fb2d3d10fa991ce113c6186e30dc59855b1dedd0c5a399b517a3e7841fe6d |
memory/2448-3986-0x000000006FA40000-0x0000000070389000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt.conf
| MD5 | 351fdc16f8e5ec3105aeb289397a06bc |
| SHA1 | 115bcf3e66703597ef4fb42acbdf3be37fff221b |
| SHA256 | b54bcf83fa006bf38dc845507e31dd5ae559ed68d45acc12ae1561142661a7d8 |
| SHA512 | 4cb802df20b51b5bac7ac78f983c191c9c81541204b7ee30683ff55f65694926d144b8003cc504e9c8f16da92ef5d17d5d904050e7915a6615f7c62abec38cae |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolite.dll
| MD5 | 152a690c0d8050b22bde17abd3806345 |
| SHA1 | 38fd488acab1dbdcc66d88ebec03215c1f0ede85 |
| SHA256 | 4347c6c4c88c47306731390d5f6085f86eb9d9e1dfcc0058daf8a9efbbe912ed |
| SHA512 | e6558db247c05c7843ca050b3ec1bb3d533d5d1597d2fcab36c5eafd621f62ff280d759d6856ce75ed96dd6dbb0127a19a4ee64a0dc58131cfefe57b88404798 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krpt.dll
| MD5 | 1b75b61532d7793afd8f87ecf476e58b |
| SHA1 | ab906eb2a3f0d18fb77ef6ecaf91550f23cb951d |
| SHA256 | 9472440cbcac55b57f3bba8d166e051d81447097496bd51af86b5d943416d74b |
| SHA512 | 8ee2d375d1370286c976758c793dcdc9c5568a6f91cbe3c667820e8dfc95a609402ed3d054fad56acd2d4fefc106e0ac9a627b2c26120a2b9d13b7ce99fc6172 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5XmlKso.dll
| MD5 | c84af4b704317c999fbcae4bfbc0d160 |
| SHA1 | 18878298def296c5dd9cb62ec12f2d7603d2d0e7 |
| SHA256 | b1931aeb9a2b5af056a6875314c85e2936150bd61f536cf8e9a92424a324a29e |
| SHA512 | 5c60dd4f6f277543cd68d12f6ecbaa14a58fa2b6dccc111478bf6e633737f9bad072510e7250c698674baf765ebf21d8e07e4b4b74633dc0467b1a8f3e83b2e0 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krt.dll
| MD5 | dbb70fbe46aa5c9a1c174e56a43f4068 |
| SHA1 | e2f0f0f2306cb863cbde6228660a17a98e632bf3 |
| SHA256 | 3e487777a70672ab2792510e39925e6ca96593394cb02c94737d1d1d648a2ced |
| SHA512 | 82b586c10248ba65445eaf23418ce68b1f52266d855c2514883d73a04e36baa42773f61018e042406f05d474cf8f7d697802362da21125868c80c62385a81d78 |
memory/2448-4000-0x000000006C7F0000-0x000000006F7E6000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_06_11.log
| MD5 | 5d49031a8e5556c1212c2c9c9b1359f3 |
| SHA1 | 7cfd7a8d3c16c33652c924febbd9b082cb487f31 |
| SHA256 | 40dfc5aa5c5bc5d903a345b31a24a047573fc37e518239e6905d6cd5560e83ee |
| SHA512 | f2bf7801078b03bb5a596c650d5c22b0468dde4e25657160001a8425dae92f517369893b7d09e0ac99d730a7692352f56ef5de0bcfde12e91533d97ae489e97f |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe
| MD5 | 2ce8dfb2a53e622411af4f8078d1535f |
| SHA1 | ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225 |
| SHA256 | 90331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747 |
| SHA512 | d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882 |
memory/2344-4061-0x000000006DAD0000-0x000000006DAE0000-memory.dmp
memory/2344-4062-0x000000006DB60000-0x000000006DB70000-memory.dmp
memory/4044-4064-0x00007FF7C2490000-0x00007FF7C24A0000-memory.dmp
memory/4044-4063-0x00007FF7C23F0000-0x00007FF7C2400000-memory.dmp
memory/3312-4073-0x000000006FA40000-0x0000000070389000-memory.dmp
memory/3312-4075-0x000000006C7F0000-0x000000006F7E6000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\oem.ini
| MD5 | 223673e5e8d77083765b70ddf7a0f7f6 |
| SHA1 | 3b5c4d6304ed6ada0ec607f44a2aace24ec16126 |
| SHA256 | 9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82 |
| SHA512 | 62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52 |
memory/2724-4230-0x000000006FA40000-0x0000000070389000-memory.dmp
memory/5084-4237-0x000000006FA40000-0x0000000070389000-memory.dmp
memory/2724-4233-0x000000006C7F0000-0x000000006F7E6000-memory.dmp
memory/5084-4239-0x000000006C7F0000-0x000000006F7E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk
| MD5 | a40d9fb446109cd0282a38d38b987da2 |
| SHA1 | 213da77bc57b07a7658bd37b4bae0ffca625882e |
| SHA256 | 257d0f177c98ec9578f33932f692c5637cb6ee3310c3e5bf9b9966c37ed46eae |
| SHA512 | 9e64041c459edbfa7c7e9e9dab53282432aeebfe02ee32e104babee285db6c22363692fea108c775f038ebaa1834dab6ec823c3706acf7008a56d8c554cd3c49 |
memory/3732-4325-0x000000006FA40000-0x0000000070389000-memory.dmp
memory/3732-4326-0x000000006C7F0000-0x000000006F7E6000-memory.dmp
memory/956-4327-0x000000006FA40000-0x0000000070389000-memory.dmp
memory/956-4328-0x000000006C7F0000-0x000000006F7E6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B23SUCL7IXVLUCX9QF1X.temp
| MD5 | 0dcdf4b7a84a3f63ec4fc93281076a84 |
| SHA1 | 9bb55ae32f0060be23d49379ac7aba0d9a5fd72e |
| SHA256 | 550302e5ff6e6a665c70a436e78b1998aba04db213e0a8f4e8acd5b3bdba4f70 |
| SHA512 | 013838caf860a2e8007de4d22d6c6b62c65f6587465a49b0dda71ddada6355ba587e5483d848b4cb02cc8da8cdb31b109af8aedbeec7a45c81c9688bae977d54 |