Malware Analysis Report

2025-06-15 23:35

Sample ID 241031-q4gt8a1kdq
Target wps_lid.lid-e8BnL2v7Bbrm.exe
SHA256 7be6628a085b244b6478dd8bf1a6074aa83fea23671d70662a50aa8b5292fe56
Tags
bootkit discovery evasion persistence privilege_escalation trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

7be6628a085b244b6478dd8bf1a6074aa83fea23671d70662a50aa8b5292fe56

Threat Level: Shows suspicious behavior

The file wps_lid.lid-e8BnL2v7Bbrm.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery evasion persistence privilege_escalation trojan

Writes to the Master Boot Record (MBR)

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Drops file in Program Files directory

Checks whether UAC is enabled

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Modifies system certificate store

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 13:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 13:48

Reported

2024-10-31 13:50

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" C:\Windows\system32\regsvr32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020852-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C03CE-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0366-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244CF-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002086A-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244AD-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0316-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C03BC-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000208B2-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000CDB0F-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\0\ = "&Edit,0,2" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\ = "Sequence" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{914934D3-5A91-11CF-8700-00AA0060263B} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000CDB0A-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020958-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000209F6-0000-0000-C000-000000000046}\ = "DocumentEvents" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002443F-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPS.MOBI.9\ = "MOBI 文件" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C031B-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C03A4-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244B2-0000-0000-C000-000000000046}\ = "ChartFormat" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024444-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C172C-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C171B-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WPS.PIC.xmind\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\addons\\photo\\photo.dll,20" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0362-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002097D-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002097E-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000208C4-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002446A-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C0370-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024448-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002089E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ = "ResampleMediaTasks" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002444C-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020868-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244AD-0000-0000-C000-000000000046}\ = "ColorStop" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C031F-0000-0000-C000-000000000046}\ = "TextEffectFormat" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002095B-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPP.Presentation.12\shell\open C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020843-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024463-0000-0000-C000-000000000046}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C0389-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C1726-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020880-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A47}\InprocHandler32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020969-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244A9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024464-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{A43788C1-D91B-11D3-8F39-00C04F3651B8}\ = "IRTDUpdateEvent" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000CDB0A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPS.Application.9\ = "WPS Writer Application Class" C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C03E4-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0C6FA8CA-E65F-4FC7-AB8F-20729EECBB14}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B} C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe
PID 2904 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe
PID 2904 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe
PID 2428 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 1880 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 1880 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 1880 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2428 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 4440 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 4440 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 4440 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 4440 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 4440 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 4440 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
PID 2776 wrote to memory of 3144 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2776 wrote to memory of 3144 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1880 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 1880 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 1880 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 1880 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 1880 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 1880 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 1564 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 1564 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 1564 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 4392 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 4392 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 4392 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 4392 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 4392 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 4392 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
PID 2428 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
PID 2428 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe

"C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe"

C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe

C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"

C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe

"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe" -downpower -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E580D59 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00600.00001018 -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -uncompatiblemso

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00600.00001018

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=4392 /prv

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"

C:\Windows\system32\regsvr32.exe

/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 api.wps.com udp
FR 90.84.175.86:443 api.wps.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.175.84.90.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 69.83.16.104.in-addr.arpa udp
US 8.8.8.8:53 params.wps.com udp
FR 90.84.175.86:443 params.wps.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 104.16.83.69:443 wdl1.pcfg.cache.wpscdn.com tcp
US 8.8.8.8:53 s.wps.com udp
FR 90.84.175.86:443 s.wps.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FR 90.84.175.86:443 s.wps.com tcp
US 8.8.8.8:53 abtest-api.wps.com udp
FR 90.84.175.86:443 abtest-api.wps.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 dyn.kingsoftstore.com udp
US 54.201.20.89:443 dyn.kingsoftstore.com tcp
US 8.8.8.8:53 89.20.201.54.in-addr.arpa udp
US 8.8.8.8:53 movip.wps.com udp
FR 90.84.175.86:443 movip.wps.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\pl_PL\style.xml

MD5 034f37e6536c1430d55f64168b7e9f05
SHA1 dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA512 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 76ad8bf279bac89f0599663026a51f7c
SHA1 69fcebfd94e71b0a1e835dae3568998c8d065887
SHA256 02e35d84d642896469cc98c67855c933bcad3be1606bbde8245d823e440bde8a
SHA512 fea8d111ca51d99d8bdaf2532bbdba0188e982cd93fc4fed1351315280bd46e1cf8b459d1b5c010b7fd26bb185a0418ceb29aae5925b03c021eda94b512fa73c

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 67cf06f0ba5cc0c1c61fa1186cd74dc9
SHA1 7e65178bb7bc25648c1e2a878c9125a77cb2e1ac
SHA256 1c33bff5e914871d7b878f9b87f9e954a21b9d2928e0f043f86bec1da3642bc7
SHA512 4d5633c68d877822217f0c8905ca47d699957f1c3ddea4beda90f99cecc008efc5d1479174323df6b6a5b5c97b253de60cf5d8daa10e92cb5976320e315d618c

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\product.dat

MD5 2e743f3067fa75ff3bcad5baafafc8ea
SHA1 57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff
SHA256 3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f
SHA512 39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 72b05f245adb276b0f3d0d33538746b0
SHA1 4004a460f423c7e82b1e9fec8c65c08add01e6b1
SHA256 40574347d79c88e7aa5cd7d0395da34308de4f6a4dfc77c1c7284044dbdea2b4
SHA512 f37e1e33fee32718485e0691632531729ac664a493aca8075af2d343ff5d202b80569dd1147cc9f2ed5759f8ef8f97cd32e127e5fdba9047d5be5432e5c3b911

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 a9519168ca6299588edf9bd39c10828a
SHA1 9f0635e39d50d15af39f5e2c52ad240a428b5636
SHA256 9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3
SHA512 0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\kpacketui.dll

MD5 fb20ae8ae8b82e53f8f234c1d0c186b7
SHA1 c03b74f6544715b0f25d23ece700eb663b2f86fc
SHA256 057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503
SHA512 09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 0e15f2a1c22a7d0147ab6df139797a62
SHA1 0f8207e8a1c1ff692a70c1668b2bafd566ba1718
SHA256 6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f
SHA512 981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5WidgetsKso.dll

MD5 a7d93abf2841afe86a08230fb2fc14db
SHA1 5b8874f7922f42dae7a9214370aef691e51d837a
SHA256 98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b
SHA512 508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\vcruntime140.dll

MD5 8fdb26199d64ae926509f5606460f573
SHA1 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256 f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512 f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 bc21f4d77a75822b27c3d1a598e8e29e
SHA1 4ca0afce4ee376041058e3791c10c2309ca7eddc
SHA256 69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668
SHA512 0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5CoreKso.dll

MD5 7fc37c5552ada776f404d3679b9b0c4c
SHA1 9fba9ce4f16c935c5b8fbef62102cc7693b05f7c
SHA256 6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf
SHA512 d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\msvcp140.dll

MD5 db1e9807b717b91ac6df6262141bd99f
SHA1 f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA256 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512 f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5GuiKso.dll

MD5 be1f6ac2ccea42961c970aec7c496922
SHA1 913e98b3d882bafd5d3ad33f06dccb33297c8668
SHA256 30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463
SHA512 d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5SvgKso.dll

MD5 70cee47ff4ea3ebf85f954fd9e827592
SHA1 4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0
SHA256 dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422
SHA512 7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 a8492f295b92be062e26542af4d516b7
SHA1 2fef9e287ab6eaad60c5711f5e294cf83844399d
SHA256 4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597
SHA512 5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 10adbd3c3de885e0383a97626a71af34
SHA1 392329c20383249c3632dba0e42fc017a62bc081
SHA256 c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a
SHA512 e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 9d355f89a89d7837a03716b1d45dc5cc
SHA1 6affa5368018a5ad1ab4a68c512ed8db527dd3b4
SHA256 167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492
SHA512 76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 ce4033c39c486996f0027a298d1cb7c1
SHA1 0cef1d7e017e85103ebc8425f1d88ee7f5a93ea0
SHA256 643db8a9793128c212c42a07e06d3f6d112c7f18079b60ec4d75ee51357f52ab
SHA512 10f38442420513641850744a4274ea63ba44d85559ffbe40259408f78c298e6e5e57496f3ae15db09967c0ed1357a11c3ea8ebdf56e492d84c0ae723fce7b3df

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

MD5 c5ad1903526a9ca4c2f55cfea1e22778
SHA1 9c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA256 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512 e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

MD5 b4b4c703bf5c6c0b5e9c57f05012d234
SHA1 929aee49e800e88b4b01f4a449fa86715d882e42
SHA256 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA512 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

MD5 2b42be10ddde43a0b6c2e461beae293a
SHA1 53888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512 be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

MD5 bf10e0c48251234d831ffcd8cca82344
SHA1 955d9cfa4e8dccff444a1f1ef505ccd41a75cd22
SHA256 1a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617
SHA512 15d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll

MD5 bd5884a7c9cc473a229b953154a52c52
SHA1 28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da
SHA256 d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb
SHA512 5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df

C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\dbghelp.dll

MD5 56d017aef6a7c74cd136f2390b8ea6d3
SHA1 46cc837c64abe4e757e66a24ece56e3f975e9ef6
SHA256 900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920
SHA512 7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

MD5 2bbf97f08f6d2bb9323e95798ef64240
SHA1 0890b2b6c733ca6f5d0442e82824dfdfe449ae70
SHA256 9c73fc25f37b3bfcfb26916ae16248998651b3d0ca66b23d5230638ab10ddd26
SHA512 c983538513eebffee2910292c0a515bfc2eb8c70561bb1c4cc1ac77b98a4d18e153e2b8a3d4c06ee2c58cfd0e25148c5cdefe8cfb6939470c779c314ab2f5286

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg

MD5 e6c8b146640faf4ce794d6acef69ae92
SHA1 7545235bc328a49b1304b8c6ee5663d43a53cf0f
SHA256 cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba
SHA512 f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

MD5 7680119f3de2925404ae2615898ac605
SHA1 0b3f27db9fda31d2b525df17e139eff72b4a4c33
SHA256 fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727
SHA512 06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 4e9ed521a91269d67115addf1a648d12
SHA1 2be37c06d38a2786e3711f54e4cdd8f03fe7d63a
SHA256 a71a5494aa56f0f81dfc2734f4e78ec815e08eee5c60c0e196515651f95654a6
SHA512 aa425370ab62b4df13d9471b507ca1adef7c52a73ea03d6850a3e8a56399d1ad6d5022059969d6ce1e91de9971ac41bc1ff3edd079dd1456844a5ac8c5f362a9

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll

MD5 f250f6f6db34808e67bc3a603312f93d
SHA1 9de21d268b014fd8e042699372c48696b4e824f9
SHA256 d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc
SHA512 ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5XmlKso.dll

MD5 3e08e7ca30a665c5f0f9cf14e269f028
SHA1 dcc612f071c7c7349ee0240291ff8bbf4a8a0c46
SHA256 b658adc8782c0fb998b0535ba166f9aaa59e3cd193e1cfcce0e9b4c918f20834
SHA512 0f6a81e079fbec8a52eabb1c1bd2dafa7d64194008d1c839988e70faef971f8be81bc48c8ea0f79db32a8b1fbce0270992ca3d15df3bea121260c168e41d5ee9

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcrypto-kso-1_1.dll

MD5 40e03f699a98ce5b07529824c1a894d2
SHA1 9e4e00a4fdcc0fab32d9aad86a125ce2c165bdf0
SHA256 fc99346063db1cfc3fc2504847e137aca5a425ff828056f51db858a985c687dc
SHA512 8b1824b5c4b059520cbb752e1deb790191ece775709285a0a3bd5fdf0d9181464a8f3337cccbbe95e27096fe88d326d03f0d5d19a65f67ecd132e5c69ea71b18

memory/116-4353-0x000000006BD50000-0x000000006C473000-memory.dmp

memory/116-4354-0x000000006F5D0000-0x0000000070CFD000-memory.dmp

memory/116-4365-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4364-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4363-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4362-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4361-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4360-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4359-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4358-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4357-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4356-0x000000006B960000-0x000000006B970000-memory.dmp

memory/116-4355-0x000000006B970000-0x000000006B980000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libssl-kso-1_1.dll

MD5 9a1e1d44af39f2b63ca7939041095b37
SHA1 52f5ee389357b73c7d7c97399cb736070515e434
SHA256 60930f7daaf4bb52768878e9f3a96f61bce17fb5d0e5a7468499e34eaa744c44
SHA512 1d4a38fcccb72ae033929169c169303884d115f05b4f9c8643a3f1072ca6645a5c5d13a0f64fc2f646f17a314651de9ec96438a21d381711cf7630fd22cb759f

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kprometheus.dll

MD5 86110ee28cdb72aed1ec60ade94aeb56
SHA1 61457137d8748d477e2e7052c61d8c5b97dd2b70
SHA256 9fdf3777efab5262b762097b7178542b506546ad6509006fea8cb90193f09b75
SHA512 04700e2e0c6360f3c0ad33ff8e21b9843059d97d7a4ea2c7697fc2baaa613675278308d3687c6b729acffb7d8f7c14e5353f8ec81e7f1fcc5e2f87802b923917

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kdownload.dll

MD5 abf5ef5de210be0fd2c2a55ee365919b
SHA1 6a9104f07a773bed0de1dc3c6774683acc293a87
SHA256 064c79fb4d88701c466bb6fd61e1bcfc094b632e641c6e813bf07f699c39f292
SHA512 4fa3004296878d0c12203306ab87f7600449bf2326d80bcde041d4b69ffd37d5d97e12214994501f5cb87eeb288d7936004e044c5200c2fc49db855e66448f5a

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksouil.dll

MD5 aaa222915e0c9c32406b8b963019f97b
SHA1 3e45dc1d0b2d1ad602644bf349b3463b0c0f8f70
SHA256 32067809feb6de0de2c7885655595b9b4a830dfa0799f65e07d34355e30d8942
SHA512 656e4f30727cfe790a0e8f1067a394a8d6c00d0f9911072dbfd22529fc433a45d7bb73cb76f744af22ca34c462a35ae4f2e5c2e8b36d349eaca85d311be42d0e

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kso.dll

MD5 a5ecce5a776b0bae9c2cea3a0e42bf91
SHA1 9b0fcacd05b782d2d80dacde5b81c99ad3570935
SHA256 1374472aeda7d1fd5cf6f48b1537e8718b7c965e7a57f540b5bce5153717450d
SHA512 e5da33f771a063e8b8c30e5df54b2410b045b353c9a781b248346460cf4e9baf977b564d3f4ca4729e9ee67e6322b62ba5f85a9d334be567bfe2a67dd55fc8c2

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcurl.dll

MD5 ee36a69232c862b84bbab1b5b60817a6
SHA1 760e9635292bf68f5a2fd692395c9fb2f8372ad4
SHA256 94101330974312d8f11c747abf423c44fb722434d29d2b3afe324f80a7ec6601
SHA512 205858c1e7afe64156b17cb7c6bb261f29cc65cbe43546f41dfd9679d8113462314746324631d0ef36057170b7bb6ab32160509bdded62d42af851a57a966d8c

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kshell.dll

MD5 8603a85045dee666f1d6005d9a2971e5
SHA1 1b4ed0a58d4fd64a6053ad5182bbae332eadde9d
SHA256 ca738344b0b9655203e3135c57edd7505d293833def2ca888ac0726993d1d25a
SHA512 4d10a004e67b24a6ff5293e582b1870014105b06e0e6bf6b26b90676e9e8007213c409dddb3fa913e214e57429d7a101a20ecdbf957bdd971ede7a90058eb34c

memory/116-4335-0x000000006E760000-0x000000006F147000-memory.dmp

memory/116-4378-0x0000000000BE0000-0x0000000000BF7000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krt.dll

MD5 fd7ef27a8780754d160ee2f70780e62f
SHA1 41c463d3a38704a2e3b83d01e73f225f14c1e219
SHA256 bafb2c6e3b0dc17f9b487ec50904300e2d0b3db865471f0d9b0e2192ee8bd0cd
SHA512 2801e94578571d89f1191eaf4a53324134fff14ffa3835353a184a13eada6467884d7d5e2055628c167b52db3d4dd66b07e90d976607c45acbc916dd67a74851

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kbase.dll

MD5 d84cb177f4720bed63a55f8072e368eb
SHA1 82c2caad9184fb2adbfb6a278d082cc1eb7852f8
SHA256 9995f580f41f86b12b63d4ab6075568f18de9f2a685fa7368d28d348648f578a
SHA512 f385e1182ff0beee3d9051e3cdb4633279cadfd67cfc00ca47a056dc222c9ceeaab34d0b644abcae0b19d4bed81c45cfcd2c81a311b73ef21cd84021602faaf2

memory/752-4383-0x000000006BD50000-0x000000006C473000-memory.dmp

memory/752-4381-0x000000006E250000-0x000000006EC37000-memory.dmp

memory/752-4394-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4393-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4392-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4391-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4390-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4389-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4388-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4387-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4386-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4385-0x000000006B960000-0x000000006B970000-memory.dmp

memory/752-4382-0x000000006EC40000-0x000000007036D000-memory.dmp

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksolite.dll

MD5 9792e7046e96eef015b554282242434a
SHA1 87205b343319d7e65a532bc3f696c5719b3d7161
SHA256 5e591faf4e4b59126e975472a63452b7c680b7c0cfff3467165140781b3eae39
SHA512 18bbb08d0e2fdc2d7c0c79d454cf97c6d1fc74ac31906b4dc46cec497d8a130a48810feb87148e61147c72be6a6c9bff919b8907ffc2cb4db53011f7f4b14d45

memory/1240-4405-0x000000006E250000-0x000000006EC37000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

MD5 273bd5d82655736c4452392841ab4e90
SHA1 f172408b3d70d7b188565151ba50a5438da0d19a
SHA256 c50163066783d9057accbc6d4d777e3aa7cfb0112a5ec042159b7558708dfd49
SHA512 5878d3657ff3004be5e3c1a4b4cdb4ec4c46a710d94ed4859adcd9097dc2216c03c4d363f6652c0254642635f1f49ad77523ac5e4d5f74e1877e32c6aa1b23f5

memory/1240-4426-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4425-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4424-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4423-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4422-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4421-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4420-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4419-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4418-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4406-0x000000006EC40000-0x000000007036D000-memory.dmp

memory/1240-4417-0x000000006B960000-0x000000006B970000-memory.dmp

memory/1240-4407-0x000000006BD50000-0x000000006C473000-memory.dmp

memory/752-4430-0x00000000035E0000-0x00000000035F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_10_31.log

MD5 3e398d35b4d70deb9a11723f87f16bba
SHA1 a9099d3335ff70f5207100a1849c1adde38fc8f5
SHA256 3954b70096baef07ea9005eaabe7ce571d2752616ac093aacf8a4c71aaa49dc5
SHA512 4b0912d97334d5e06259ceeac94e02c54ba4d2574f59921d5a7344f41e93e4e81cd168a315d050a4f481826f62d0e755822f461c8fc5dbd864f2a481e15b5d21

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscloudsvr.exe

MD5 93319d7add53c7c8c364012d5b61f3c6
SHA1 b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39
SHA256 9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66
SHA512 f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361

memory/3256-4466-0x000000006E250000-0x000000006EC37000-memory.dmp

memory/3256-4468-0x000000006BD50000-0x000000006C473000-memory.dmp

memory/3256-4470-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4479-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4478-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4477-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4476-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4475-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4474-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4473-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4472-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4471-0x000000006B960000-0x000000006B970000-memory.dmp

memory/3256-4467-0x000000006EC40000-0x000000007036D000-memory.dmp

memory/4440-4497-0x000000006E250000-0x000000006EC37000-memory.dmp

memory/3256-4492-0x0000000003520000-0x0000000003537000-memory.dmp

memory/4440-4498-0x000000006BD50000-0x000000006C473000-memory.dmp

memory/4440-4501-0x000000006B960000-0x000000006B970000-memory.dmp

memory/4440-4500-0x000000006B960000-0x000000006B970000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

MD5 70c5ed133a3a62a1d90b9b9bb92dcce8
SHA1 01f4606b61d4a0bf2bada83253a7e3421cd1d984
SHA256 cafa4364f2f855ba9a90e4aa73521e2c240eb8c9b7bef0c26b9fc4d3bde52205
SHA512 d6e04930efab9c79b27163827f3a70631081c2af4addfc3db5605ab552b89d5865b351e070602b6bcd0a43bdf0b20819e6a1edeb182d797b8c8ea82fe17c1cc1

C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

MD5 45efecdc0729a7263c2062e90f003668
SHA1 d24e3bb9147e099b7c3efe2b0632f8b25449d752
SHA256 04490307a6b66e98703097d2190ed12d9485237ebdc38ddfa190a7c7e8883b80
SHA512 708f3ea98e9923a91f1e2e7656cbbb0d4753f3860858c01f6e08b0688b317a60b234abf26e4e1c7818f005194b6ad54f25f8e49e77550785ff56e798f6f3b19a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OMPWCK99M99VXFNE9EXF.temp

MD5 d441203f5878a3fc9d8c34593f0f7813
SHA1 e0719b239d88110c800becef39633380ba4cfb34
SHA256 d9a1c08afae47f51cda671e1b64cbfdf4b8a589137ba36dad2565cd6f7f69803
SHA512 e6bb92c9ffc9ea3a0c321ef6317a382a331a64f6624c52a8e7a7a8e96c9283d8f43bf8b00f9d5339cf3ce888536488c041f3a898f92810f8ea9bb8ced6a1ee59

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

MD5 4c95f9ec17b9318ee8d1cb648da2981b
SHA1 877b245c238652e9fd36843f147213ec057e3b22
SHA256 2fa8deca3405b33a023a1c0372ccf9a341ae6711c960e5d224be57dacbbc5473
SHA512 b8e2451a1f2bf0b9f362607e5ad36c41f8c902db8c643b968a8b6249065468d354ad6d6bb3519429ef59aa850e1b28d9f53f0ee0db1711f74d570ed1a7e50560