Analysis Overview
SHA256
7be6628a085b244b6478dd8bf1a6074aa83fea23671d70662a50aa8b5292fe56
Threat Level: Shows suspicious behavior
The file wps_lid.lid-e8BnL2v7Bbrm.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Modifies system executable filetype association
Executes dropped EXE
Drops file in Program Files directory
Checks whether UAC is enabled
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Modifies system certificate store
Modifies registry class
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 13:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 13:48
Reported
2024-10-31 13:50
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
113s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" | C:\Windows\system32\regsvr32.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020852-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C03CE-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0366-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244CF-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002086A-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244AD-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0316-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C03BC-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000208B2-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000CDB0F-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\0\ = "&Edit,0,2" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\ = "Sequence" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{914934D3-5A91-11CF-8700-00AA0060263B} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000CDB0A-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020958-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000209F6-0000-0000-C000-000000000046}\ = "DocumentEvents" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002443F-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPS.MOBI.9\ = "MOBI 文件" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C031B-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C03A4-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244B2-0000-0000-C000-000000000046}\ = "ChartFormat" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024444-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C172C-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C171B-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WPS.PIC.xmind\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\addons\\photo\\photo.dll,20" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0362-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002097D-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002097E-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000208C4-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002446A-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C0370-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024448-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002089E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ = "ResampleMediaTasks" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002444C-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020868-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244AD-0000-0000-C000-000000000046}\ = "ColorStop" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C031F-0000-0000-C000-000000000046}\ = "TextEffectFormat" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002095B-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPP.Presentation.12\shell\open | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020843-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024463-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C0389-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C1726-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020880-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A47}\InprocHandler32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020969-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244A9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024464-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{A43788C1-D91B-11D3-8F39-00C04F3651B8}\ = "IRTDUpdateEvent" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000CDB0A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPS.Application.9\ = "WPS Writer Application Class" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C03E4-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0C6FA8CA-E65F-4FC7-AB8F-20729EECBB14}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices | C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe
"C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe"
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe" -downpower -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E580D59 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00600.00001018 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -uncompatiblemso
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00600.00001018
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=4392 /prv
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.175.84.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 104.16.83.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.83.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | 69.83.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | params.wps.com | udp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 104.16.83.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | s.wps.com | udp |
| FR | 90.84.175.86:443 | s.wps.com | tcp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FR | 90.84.175.86:443 | s.wps.com | tcp |
| US | 8.8.8.8:53 | abtest-api.wps.com | udp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dyn.kingsoftstore.com | udp |
| US | 54.201.20.89:443 | dyn.kingsoftstore.com | tcp |
| US | 8.8.8.8:53 | 89.20.201.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | movip.wps.com | udp |
| FR | 90.84.175.86:443 | movip.wps.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\pl_PL\style.xml
| MD5 | 034f37e6536c1430d55f64168b7e9f05 |
| SHA1 | dd08c0ef0d086dfbe59797990a74dab14fc850e2 |
| SHA256 | 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384 |
| SHA512 | 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 76ad8bf279bac89f0599663026a51f7c |
| SHA1 | 69fcebfd94e71b0a1e835dae3568998c8d065887 |
| SHA256 | 02e35d84d642896469cc98c67855c933bcad3be1606bbde8245d823e440bde8a |
| SHA512 | fea8d111ca51d99d8bdaf2532bbdba0188e982cd93fc4fed1351315280bd46e1cf8b459d1b5c010b7fd26bb185a0418ceb29aae5925b03c021eda94b512fa73c |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 67cf06f0ba5cc0c1c61fa1186cd74dc9 |
| SHA1 | 7e65178bb7bc25648c1e2a878c9125a77cb2e1ac |
| SHA256 | 1c33bff5e914871d7b878f9b87f9e954a21b9d2928e0f043f86bec1da3642bc7 |
| SHA512 | 4d5633c68d877822217f0c8905ca47d699957f1c3ddea4beda90f99cecc008efc5d1479174323df6b6a5b5c97b253de60cf5d8daa10e92cb5976320e315d618c |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\product.dat
| MD5 | 2e743f3067fa75ff3bcad5baafafc8ea |
| SHA1 | 57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff |
| SHA256 | 3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f |
| SHA512 | 39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 72b05f245adb276b0f3d0d33538746b0 |
| SHA1 | 4004a460f423c7e82b1e9fec8c65c08add01e6b1 |
| SHA256 | 40574347d79c88e7aa5cd7d0395da34308de4f6a4dfc77c1c7284044dbdea2b4 |
| SHA512 | f37e1e33fee32718485e0691632531729ac664a493aca8075af2d343ff5d202b80569dd1147cc9f2ed5759f8ef8f97cd32e127e5fdba9047d5be5432e5c3b911 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | a9519168ca6299588edf9bd39c10828a |
| SHA1 | 9f0635e39d50d15af39f5e2c52ad240a428b5636 |
| SHA256 | 9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3 |
| SHA512 | 0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557 |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\kpacketui.dll
| MD5 | fb20ae8ae8b82e53f8f234c1d0c186b7 |
| SHA1 | c03b74f6544715b0f25d23ece700eb663b2f86fc |
| SHA256 | 057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503 |
| SHA512 | 09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429 |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 0e15f2a1c22a7d0147ab6df139797a62 |
| SHA1 | 0f8207e8a1c1ff692a70c1668b2bafd566ba1718 |
| SHA256 | 6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f |
| SHA512 | 981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26 |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | a7d93abf2841afe86a08230fb2fc14db |
| SHA1 | 5b8874f7922f42dae7a9214370aef691e51d837a |
| SHA256 | 98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b |
| SHA512 | 508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9 |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\vcruntime140.dll
| MD5 | 8fdb26199d64ae926509f5606460f573 |
| SHA1 | 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678 |
| SHA256 | f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c |
| SHA512 | f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | bc21f4d77a75822b27c3d1a598e8e29e |
| SHA1 | 4ca0afce4ee376041058e3791c10c2309ca7eddc |
| SHA256 | 69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668 |
| SHA512 | 0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5CoreKso.dll
| MD5 | 7fc37c5552ada776f404d3679b9b0c4c |
| SHA1 | 9fba9ce4f16c935c5b8fbef62102cc7693b05f7c |
| SHA256 | 6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf |
| SHA512 | d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\msvcp140.dll
| MD5 | db1e9807b717b91ac6df6262141bd99f |
| SHA1 | f55b0a6b2142c210bbfeebf1bac78134acc383b2 |
| SHA256 | 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86 |
| SHA512 | f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5GuiKso.dll
| MD5 | be1f6ac2ccea42961c970aec7c496922 |
| SHA1 | 913e98b3d882bafd5d3ad33f06dccb33297c8668 |
| SHA256 | 30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463 |
| SHA512 | d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4 |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5SvgKso.dll
| MD5 | 70cee47ff4ea3ebf85f954fd9e827592 |
| SHA1 | 4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0 |
| SHA256 | dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422 |
| SHA512 | 7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | a8492f295b92be062e26542af4d516b7 |
| SHA1 | 2fef9e287ab6eaad60c5711f5e294cf83844399d |
| SHA256 | 4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597 |
| SHA512 | 5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | 10adbd3c3de885e0383a97626a71af34 |
| SHA1 | 392329c20383249c3632dba0e42fc017a62bc081 |
| SHA256 | c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a |
| SHA512 | e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | 9d355f89a89d7837a03716b1d45dc5cc |
| SHA1 | 6affa5368018a5ad1ab4a68c512ed8db527dd3b4 |
| SHA256 | 167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492 |
| SHA512 | 76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | ce4033c39c486996f0027a298d1cb7c1 |
| SHA1 | 0cef1d7e017e85103ebc8425f1d88ee7f5a93ea0 |
| SHA256 | 643db8a9793128c212c42a07e06d3f6d112c7f18079b60ec4d75ee51357f52ab |
| SHA512 | 10f38442420513641850744a4274ea63ba44d85559ffbe40259408f78c298e6e5e57496f3ae15db09967c0ed1357a11c3ea8ebdf56e492d84c0ae723fce7b3df |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
| MD5 | c5ad1903526a9ca4c2f55cfea1e22778 |
| SHA1 | 9c7b9ba9100a919cad272fb85ff95c4cde45de9f |
| SHA256 | 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334 |
| SHA512 | e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
| MD5 | b4b4c703bf5c6c0b5e9c57f05012d234 |
| SHA1 | 929aee49e800e88b4b01f4a449fa86715d882e42 |
| SHA256 | 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b |
| SHA512 | 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm
| MD5 | 2b42be10ddde43a0b6c2e461beae293a |
| SHA1 | 53888c4798bc04fdfc5a266587b8dc1c4e0103f3 |
| SHA256 | 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b |
| SHA512 | be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778 |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
| MD5 | bf10e0c48251234d831ffcd8cca82344 |
| SHA1 | 955d9cfa4e8dccff444a1f1ef505ccd41a75cd22 |
| SHA256 | 1a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617 |
| SHA512 | 15d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll
| MD5 | bd5884a7c9cc473a229b953154a52c52 |
| SHA1 | 28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da |
| SHA256 | d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb |
| SHA512 | 5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df |
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\dbghelp.dll
| MD5 | 56d017aef6a7c74cd136f2390b8ea6d3 |
| SHA1 | 46cc837c64abe4e757e66a24ece56e3f975e9ef6 |
| SHA256 | 900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920 |
| SHA512 | 7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini
| MD5 | 2bbf97f08f6d2bb9323e95798ef64240 |
| SHA1 | 0890b2b6c733ca6f5d0442e82824dfdfe449ae70 |
| SHA256 | 9c73fc25f37b3bfcfb26916ae16248998651b3d0ca66b23d5230638ab10ddd26 |
| SHA512 | c983538513eebffee2910292c0a515bfc2eb8c70561bb1c4cc1ac77b98a4d18e153e2b8a3d4c06ee2c58cfd0e25148c5cdefe8cfb6939470c779c314ab2f5286 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg
| MD5 | e6c8b146640faf4ce794d6acef69ae92 |
| SHA1 | 7545235bc328a49b1304b8c6ee5663d43a53cf0f |
| SHA256 | cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba |
| SHA512 | f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
| MD5 | 7680119f3de2925404ae2615898ac605 |
| SHA1 | 0b3f27db9fda31d2b525df17e139eff72b4a4c33 |
| SHA256 | fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727 |
| SHA512 | 06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 4e9ed521a91269d67115addf1a648d12 |
| SHA1 | 2be37c06d38a2786e3711f54e4cdd8f03fe7d63a |
| SHA256 | a71a5494aa56f0f81dfc2734f4e78ec815e08eee5c60c0e196515651f95654a6 |
| SHA512 | aa425370ab62b4df13d9471b507ca1adef7c52a73ea03d6850a3e8a56399d1ad6d5022059969d6ce1e91de9971ac41bc1ff3edd079dd1456844a5ac8c5f362a9 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll
| MD5 | f250f6f6db34808e67bc3a603312f93d |
| SHA1 | 9de21d268b014fd8e042699372c48696b4e824f9 |
| SHA256 | d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc |
| SHA512 | ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5XmlKso.dll
| MD5 | 3e08e7ca30a665c5f0f9cf14e269f028 |
| SHA1 | dcc612f071c7c7349ee0240291ff8bbf4a8a0c46 |
| SHA256 | b658adc8782c0fb998b0535ba166f9aaa59e3cd193e1cfcce0e9b4c918f20834 |
| SHA512 | 0f6a81e079fbec8a52eabb1c1bd2dafa7d64194008d1c839988e70faef971f8be81bc48c8ea0f79db32a8b1fbce0270992ca3d15df3bea121260c168e41d5ee9 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcrypto-kso-1_1.dll
| MD5 | 40e03f699a98ce5b07529824c1a894d2 |
| SHA1 | 9e4e00a4fdcc0fab32d9aad86a125ce2c165bdf0 |
| SHA256 | fc99346063db1cfc3fc2504847e137aca5a425ff828056f51db858a985c687dc |
| SHA512 | 8b1824b5c4b059520cbb752e1deb790191ece775709285a0a3bd5fdf0d9181464a8f3337cccbbe95e27096fe88d326d03f0d5d19a65f67ecd132e5c69ea71b18 |
memory/116-4353-0x000000006BD50000-0x000000006C473000-memory.dmp
memory/116-4354-0x000000006F5D0000-0x0000000070CFD000-memory.dmp
memory/116-4365-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4364-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4363-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4362-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4361-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4360-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4359-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4358-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4357-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4356-0x000000006B960000-0x000000006B970000-memory.dmp
memory/116-4355-0x000000006B970000-0x000000006B980000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libssl-kso-1_1.dll
| MD5 | 9a1e1d44af39f2b63ca7939041095b37 |
| SHA1 | 52f5ee389357b73c7d7c97399cb736070515e434 |
| SHA256 | 60930f7daaf4bb52768878e9f3a96f61bce17fb5d0e5a7468499e34eaa744c44 |
| SHA512 | 1d4a38fcccb72ae033929169c169303884d115f05b4f9c8643a3f1072ca6645a5c5d13a0f64fc2f646f17a314651de9ec96438a21d381711cf7630fd22cb759f |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kprometheus.dll
| MD5 | 86110ee28cdb72aed1ec60ade94aeb56 |
| SHA1 | 61457137d8748d477e2e7052c61d8c5b97dd2b70 |
| SHA256 | 9fdf3777efab5262b762097b7178542b506546ad6509006fea8cb90193f09b75 |
| SHA512 | 04700e2e0c6360f3c0ad33ff8e21b9843059d97d7a4ea2c7697fc2baaa613675278308d3687c6b729acffb7d8f7c14e5353f8ec81e7f1fcc5e2f87802b923917 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kdownload.dll
| MD5 | abf5ef5de210be0fd2c2a55ee365919b |
| SHA1 | 6a9104f07a773bed0de1dc3c6774683acc293a87 |
| SHA256 | 064c79fb4d88701c466bb6fd61e1bcfc094b632e641c6e813bf07f699c39f292 |
| SHA512 | 4fa3004296878d0c12203306ab87f7600449bf2326d80bcde041d4b69ffd37d5d97e12214994501f5cb87eeb288d7936004e044c5200c2fc49db855e66448f5a |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksouil.dll
| MD5 | aaa222915e0c9c32406b8b963019f97b |
| SHA1 | 3e45dc1d0b2d1ad602644bf349b3463b0c0f8f70 |
| SHA256 | 32067809feb6de0de2c7885655595b9b4a830dfa0799f65e07d34355e30d8942 |
| SHA512 | 656e4f30727cfe790a0e8f1067a394a8d6c00d0f9911072dbfd22529fc433a45d7bb73cb76f744af22ca34c462a35ae4f2e5c2e8b36d349eaca85d311be42d0e |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kso.dll
| MD5 | a5ecce5a776b0bae9c2cea3a0e42bf91 |
| SHA1 | 9b0fcacd05b782d2d80dacde5b81c99ad3570935 |
| SHA256 | 1374472aeda7d1fd5cf6f48b1537e8718b7c965e7a57f540b5bce5153717450d |
| SHA512 | e5da33f771a063e8b8c30e5df54b2410b045b353c9a781b248346460cf4e9baf977b564d3f4ca4729e9ee67e6322b62ba5f85a9d334be567bfe2a67dd55fc8c2 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcurl.dll
| MD5 | ee36a69232c862b84bbab1b5b60817a6 |
| SHA1 | 760e9635292bf68f5a2fd692395c9fb2f8372ad4 |
| SHA256 | 94101330974312d8f11c747abf423c44fb722434d29d2b3afe324f80a7ec6601 |
| SHA512 | 205858c1e7afe64156b17cb7c6bb261f29cc65cbe43546f41dfd9679d8113462314746324631d0ef36057170b7bb6ab32160509bdded62d42af851a57a966d8c |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kshell.dll
| MD5 | 8603a85045dee666f1d6005d9a2971e5 |
| SHA1 | 1b4ed0a58d4fd64a6053ad5182bbae332eadde9d |
| SHA256 | ca738344b0b9655203e3135c57edd7505d293833def2ca888ac0726993d1d25a |
| SHA512 | 4d10a004e67b24a6ff5293e582b1870014105b06e0e6bf6b26b90676e9e8007213c409dddb3fa913e214e57429d7a101a20ecdbf957bdd971ede7a90058eb34c |
memory/116-4335-0x000000006E760000-0x000000006F147000-memory.dmp
memory/116-4378-0x0000000000BE0000-0x0000000000BF7000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krt.dll
| MD5 | fd7ef27a8780754d160ee2f70780e62f |
| SHA1 | 41c463d3a38704a2e3b83d01e73f225f14c1e219 |
| SHA256 | bafb2c6e3b0dc17f9b487ec50904300e2d0b3db865471f0d9b0e2192ee8bd0cd |
| SHA512 | 2801e94578571d89f1191eaf4a53324134fff14ffa3835353a184a13eada6467884d7d5e2055628c167b52db3d4dd66b07e90d976607c45acbc916dd67a74851 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kbase.dll
| MD5 | d84cb177f4720bed63a55f8072e368eb |
| SHA1 | 82c2caad9184fb2adbfb6a278d082cc1eb7852f8 |
| SHA256 | 9995f580f41f86b12b63d4ab6075568f18de9f2a685fa7368d28d348648f578a |
| SHA512 | f385e1182ff0beee3d9051e3cdb4633279cadfd67cfc00ca47a056dc222c9ceeaab34d0b644abcae0b19d4bed81c45cfcd2c81a311b73ef21cd84021602faaf2 |
memory/752-4383-0x000000006BD50000-0x000000006C473000-memory.dmp
memory/752-4381-0x000000006E250000-0x000000006EC37000-memory.dmp
memory/752-4394-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4393-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4392-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4391-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4390-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4389-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4388-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4387-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4386-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4385-0x000000006B960000-0x000000006B970000-memory.dmp
memory/752-4382-0x000000006EC40000-0x000000007036D000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksolite.dll
| MD5 | 9792e7046e96eef015b554282242434a |
| SHA1 | 87205b343319d7e65a532bc3f696c5719b3d7161 |
| SHA256 | 5e591faf4e4b59126e975472a63452b7c680b7c0cfff3467165140781b3eae39 |
| SHA512 | 18bbb08d0e2fdc2d7c0c79d454cf97c6d1fc74ac31906b4dc46cec497d8a130a48810feb87148e61147c72be6a6c9bff919b8907ffc2cb4db53011f7f4b14d45 |
memory/1240-4405-0x000000006E250000-0x000000006EC37000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data
| MD5 | 273bd5d82655736c4452392841ab4e90 |
| SHA1 | f172408b3d70d7b188565151ba50a5438da0d19a |
| SHA256 | c50163066783d9057accbc6d4d777e3aa7cfb0112a5ec042159b7558708dfd49 |
| SHA512 | 5878d3657ff3004be5e3c1a4b4cdb4ec4c46a710d94ed4859adcd9097dc2216c03c4d363f6652c0254642635f1f49ad77523ac5e4d5f74e1877e32c6aa1b23f5 |
memory/1240-4426-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4425-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4424-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4423-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4422-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4421-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4420-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4419-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4418-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4406-0x000000006EC40000-0x000000007036D000-memory.dmp
memory/1240-4417-0x000000006B960000-0x000000006B970000-memory.dmp
memory/1240-4407-0x000000006BD50000-0x000000006C473000-memory.dmp
memory/752-4430-0x00000000035E0000-0x00000000035F7000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_10_31.log
| MD5 | 3e398d35b4d70deb9a11723f87f16bba |
| SHA1 | a9099d3335ff70f5207100a1849c1adde38fc8f5 |
| SHA256 | 3954b70096baef07ea9005eaabe7ce571d2752616ac093aacf8a4c71aaa49dc5 |
| SHA512 | 4b0912d97334d5e06259ceeac94e02c54ba4d2574f59921d5a7344f41e93e4e81cd168a315d050a4f481826f62d0e755822f461c8fc5dbd864f2a481e15b5d21 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscloudsvr.exe
| MD5 | 93319d7add53c7c8c364012d5b61f3c6 |
| SHA1 | b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39 |
| SHA256 | 9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66 |
| SHA512 | f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361 |
memory/3256-4466-0x000000006E250000-0x000000006EC37000-memory.dmp
memory/3256-4468-0x000000006BD50000-0x000000006C473000-memory.dmp
memory/3256-4470-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4479-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4478-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4477-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4476-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4475-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4474-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4473-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4472-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4471-0x000000006B960000-0x000000006B970000-memory.dmp
memory/3256-4467-0x000000006EC40000-0x000000007036D000-memory.dmp
memory/4440-4497-0x000000006E250000-0x000000006EC37000-memory.dmp
memory/3256-4492-0x0000000003520000-0x0000000003537000-memory.dmp
memory/4440-4498-0x000000006BD50000-0x000000006C473000-memory.dmp
memory/4440-4501-0x000000006B960000-0x000000006B970000-memory.dmp
memory/4440-4500-0x000000006B960000-0x000000006B970000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2
| MD5 | 70c5ed133a3a62a1d90b9b9bb92dcce8 |
| SHA1 | 01f4606b61d4a0bf2bada83253a7e3421cd1d984 |
| SHA256 | cafa4364f2f855ba9a90e4aa73521e2c240eb8c9b7bef0c26b9fc4d3bde52205 |
| SHA512 | d6e04930efab9c79b27163827f3a70631081c2af4addfc3db5605ab552b89d5865b351e070602b6bcd0a43bdf0b20819e6a1edeb182d797b8c8ea82fe17c1cc1 |
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk
| MD5 | 45efecdc0729a7263c2062e90f003668 |
| SHA1 | d24e3bb9147e099b7c3efe2b0632f8b25449d752 |
| SHA256 | 04490307a6b66e98703097d2190ed12d9485237ebdc38ddfa190a7c7e8883b80 |
| SHA512 | 708f3ea98e9923a91f1e2e7656cbbb0d4753f3860858c01f6e08b0688b317a60b234abf26e4e1c7818f005194b6ad54f25f8e49e77550785ff56e798f6f3b19a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OMPWCK99M99VXFNE9EXF.temp
| MD5 | d441203f5878a3fc9d8c34593f0f7813 |
| SHA1 | e0719b239d88110c800becef39633380ba4cfb34 |
| SHA256 | d9a1c08afae47f51cda671e1b64cbfdf4b8a589137ba36dad2565cd6f7f69803 |
| SHA512 | e6bb92c9ffc9ea3a0c321ef6317a382a331a64f6624c52a8e7a7a8e96c9283d8f43bf8b00f9d5339cf3ce888536488c041f3a898f92810f8ea9bb8ced6a1ee59 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini
| MD5 | 4c95f9ec17b9318ee8d1cb648da2981b |
| SHA1 | 877b245c238652e9fd36843f147213ec057e3b22 |
| SHA256 | 2fa8deca3405b33a023a1c0372ccf9a341ae6711c960e5d224be57dacbbc5473 |
| SHA512 | b8e2451a1f2bf0b9f362607e5ad36c41f8c902db8c643b968a8b6249065468d354ad6d6bb3519429ef59aa850e1b28d9f53f0ee0db1711f74d570ed1a7e50560 |