home

wpsnotify.exe

WPS Office

Zhuhai Kingsoft Office Software Co.,Ltd

The executable wpsnotify.exe, “WPS Office Expansion tool” has been detected as malware by 3 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time.
Publisher:
Zhuhai Kingsoft Office Software Co.,Ltd  (signed and verified)

Product:
WPS Office

Description:
WPS Office Expansion tool

Version:
10,1,0,5509

MD5:
3bbcd32e770bcfae48a0b3a3a086ec64

SHA-1:
54115915b925b6a477bbbe0a2860f703904ff32e

SHA-256:
8b5d7602f9cce8b25ff88c102d523ccf41be1b67d90af633c82763242b778ee2

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
4/6/2025 12:44:16 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Floxif.H virus
6.3.12010.0

F-Prot
W32/Floxif.B
4.6.5.141

F-Secure
Win32.Floxif.A
5.15.154

File size:
657.8 KB (673,607 bytes)

Product version:
10,1,0,5509

Copyright:
Copyright©1988-2016 Kingsoft Corporation. All rights reserved.

Original file name:
wpsnotify.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\kingsoft\wps office\10.1.0.5509\wtoolex\wpsnotify.exe

Digital Signature
Signed by:
Zhuhai Kingsoft Office Software Co.,Ltd

Authority:
Symantec Corporation

Valid from:
1/21/2016 8:00:00 AM

Valid to:
4/20/2017 7:59:59 AM

Subject:
CN="Zhuhai Kingsoft Office Software Co.,Ltd", OU=RD Department, O="Zhuhai Kingsoft Office Software Co.,Ltd", L=Zhuhai, S=Guangdong, C=CN

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
633ADDC88652B47F575CB7BA1520874A

File PE Metadata
Compilation timestamp:
3/10/2016 8:20:42 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x15B030

Entry point:
E9, B8, 2B, FE, FF, 00, 8D, BE, 00, 80, F1, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.7664

Packer / compiler:
SecureEXE, 0x3.0

Code size:
460 KB (471,040 bytes)

Scheduled Task
Task name:
WpsNotifyTask_User

Trigger:
Daily (Runs daily at 9:23 PM)

Description:
WPS Office Notify Task.


Remove wpsnotify.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.