File name:

wps_wid.cid-1955044393.1761994473.exe

Full analysis: https://app.any.run/tasks/3601ba7a-03e9-4a51-aa07-f40236a5a786
Verdict: Malicious activity
Analysis date: November 03, 2025, 09:42:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
wps
anti-evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

4EAD696DC13E79EC7261DF1B7A826B6C

SHA1:

159922F2E15F3A961BB79067039B9DEE7BDC65D1

SHA256:

24F3C782D0AA024E7CBCAECCF6DD93BB3C91142A68C72066B30F64C8E297294B

SSDEEP:

98304:7ns08NGObHPCVooCZsf+sUokH3Tu2Yy4yfQl+5Tarzf5/Q+IqRDHta7ShlAjGIhJ:CuH+e6N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • WPS mutex has been found

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Reads security settings of Internet Explorer

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Process drops legitimate windows executable

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • The process drops C-runtime libraries

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Executable content was dropped or overwritten

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • The process checks if it is being run in the virtual environment

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

  • INFO

    • Reads the computer name

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Reads the machine GUID from the registry

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Process checks computer location settings

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)

    • Checks supported languages

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Reads the software policy settings

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Creates files in the program directory

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Checks proxy server information

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)

    • Creates files or folders in the user directory

      • wps_wid.cid-1955044393.1761994473.exe (PID: 7576)
      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • Create files in a temporary directory

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • The sample compiled with english language support

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • The sample compiled with japanese language support

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)

    • The sample compiled with chinese language support

      • 8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe (PID: 1928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:08:18 07:42:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 4227584
InitializedDataSize: 1556992
UninitializedDataSize: -
EntryPoint: 0x2b9d57
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 12.2.0.21567
ProductVersionNumber: 12.2.0.21567
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription: WPS Office Setup
FileVersion: 12,2,0,21567
InternalName: konlinesetup_xa
LegalCopyright: Copyright©2025 Kingsoft Corporation. All rights reserved.
OriginalFileName: konlinesetup_xa.exe
ProductName: WPS Office
ProductVersion: 12,2,0,21567
MIMEType: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wps_wid.cid-1955044393.1761994473.exe 8eb965f8181b753208c3bfcbdfd18f15-16_setup_xa_mui_free.exe.600.1002.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1688C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1928"C:\ProgramData\WPS\Installers\8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -pinTaskbar -curlangofinstalledproduct=en_US -notElevateAndDirectlyInstall -D="C:\Users\admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\admin\AppData\Roaming"C:\ProgramData\WPS\Installers\8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
wps_wid.cid-1955044393.1761994473.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Install Application
Version:
12,2,0,23131
Modules
Images
c:\programdata\wps\installers\8eb965f8181b753208c3bfcbdfd18f15-16_setup_xa_mui_free.exe.600.1002.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msi.dll
7576"C:\Users\admin\AppData\Local\Temp\wps_wid.cid-1955044393.1761994473.exe" C:\Users\admin\AppData\Local\Temp\wps_wid.cid-1955044393.1761994473.exe
explorer.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Setup
Version:
12,2,0,21567
Modules
Images
c:\users\admin\appdata\local\temp\wps_wid.cid-1955044393.1761994473.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
15 312
Read events
15 284
Write events
25
Delete events
3

Modification events

(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:infoGuid
Value:
5CEA1E38B5C84C96A3CC2699E0F476E2
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:infoHdid
Value:
3e7c1596d8d93b4babd3803a1ebc8ffe
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:onlinesetup_penetrate_id_type
Value:
web
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:onlinesetup_penetrate_id
Value:
cid-1955044393.1761994473
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:startup_time
Value:
2025-11-03 09
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:global_progress
Value:
startup
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\Office\6.0\Common
Operation:writeName:newGuideShow
Value:
1
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\Office\6.0\plugins\kdcsdk
Operation:writeName:countrycode
Value:
NL
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\Office\6.0\plugins\kdcsdk
Operation:writeName:lastupdatecountrycode
Value:
1762162959098
(PID) Process:(7576) wps_wid.cid-1955044393.1761994473.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:global_progress
Value:
download_start
Executable files
69
Suspicious files
39
Text files
528
Unknown types
9

Dropped files

PID
Process
Filename
Type
7576wps_wid.cid-1955044393.1761994473.exeC:\ProgramData\WPS\Installers\8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
MD5:
SHA256:
19288eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exeC:\Users\admin\AppData\Local\Temp\wps\~16d798\CONTROL\prereadimages_et.txt
MD5:
SHA256:
19288eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exeC:\Users\admin\AppData\Local\Temp\wps\~16d798\CONTROL\prereadimages_pdf.txt
MD5:
SHA256:
19288eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exeC:\Users\admin\AppData\Local\Temp\wps\~16d798\CONTROL\prereadimages_prometheus.txt
MD5:
SHA256:
19288eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exeC:\Users\admin\AppData\Local\Temp\wps\~16d798\CONTROL\prereadimages_prome_init.txt
MD5:
SHA256:
19288eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exeC:\Users\admin\AppData\Local\Temp\wps\~16d798\CONTROL\prereadimages_qing.txt
MD5:
SHA256:
19288eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exeC:\Users\admin\AppData\Local\Temp\wps\~16d798\CONTROL\prereadimages_wpp.txt
MD5:
SHA256:
19288eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exeC:\Users\admin\AppData\Local\Temp\wps\~16d798\CONTROL\prereadimages_wps.txt
MD5:
SHA256:
7576wps_wid.cid-1955044393.1761994473.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:65EB818C659D08421DDA4CD794C64C0A
SHA256:ED6D0A39FDD40368A4C27CE33F6D680DB03A36170B6C272251201681DBDE93F3
7576wps_wid.cid-1955044393.1761994473.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:E8099BFD97BFA25D899DA4CAF1DF46DA
SHA256:CE4F77BDA6B0B00F5250F3754214D407C21929B4D6E412BD67899500BC8F318E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
32
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
696
svchost.exe
GET
200
95.101.35.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5320
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
6972
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5320
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
5320
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
7576
wps_wid.cid-1955044393.1761994473.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7576
wps_wid.cid-1955044393.1761994473.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA9S8pUz7rrUEVA2eU7hB08%3D
unknown
whitelisted
7576
wps_wid.cid-1955044393.1761994473.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
696
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5040
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7088
SearchApp.exe
2.16.241.207:443
www.bing.com
Akamai International B.V.
DE
whitelisted
7576
wps_wid.cid-1955044393.1761994473.exe
172.217.23.110:443
www.google-analytics.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
7576
wps_wid.cid-1955044393.1761994473.exe
90.84.175.86:443
params.wps.com
Orange
FR
whitelisted
696
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
696
svchost.exe
95.101.35.35:80
crl.microsoft.com
Orange
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
www.bing.com
  • 2.16.241.207
  • 2.16.241.212
  • 2.16.241.218
  • 2.16.241.205
  • 2.16.241.211
  • 2.16.241.206
  • 2.16.241.208
  • 2.16.241.209
  • 2.16.241.219
whitelisted
www.google-analytics.com
  • 172.217.23.110
  • 142.250.186.174
whitelisted
params.wps.com
  • 90.84.175.86
unknown
api.wps.com
  • 90.84.175.86
unknown
crl.microsoft.com
  • 95.101.35.35
  • 95.101.35.8
whitelisted
wdl1.pcfg.cache.wpscdn.com
  • 89.222.119.91
unknown
login.live.com
  • 20.190.159.71
  • 40.126.31.67
  • 40.126.31.3
  • 40.126.31.128
  • 40.126.31.130
  • 40.126.31.131
  • 20.190.159.68
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
[kscreen] isElide:0 switchRec:0 switchRecElide:1
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_BrandAreaWidget", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
8eb965f8181b753208c3bfcbdfd18f15-16_setup_XA_mui_Free.exe.600.1002.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wps_wid.cid-1955044393.1761994473.exe