File name:

wps_lid.lid-u8lkKOAmNwk0.exe

Full analysis: https://app.any.run/tasks/56327033-575c-4723-951c-2bae9f0c91f7
Verdict: Malicious activity
Analysis date: August 01, 2025, 20:35:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
wps
maldoc-17
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

CE8BA682C8C6C3D778ED8F82A302CFA9

SHA1:

7CE61AD8A923F659C7090BE5725067CCD33F8987

SHA256:

7A9F4468DBFA99D279941ABD0EB81E903C25F1858D53A308270BD361EAEF140D

SSDEEP:

98304:jXs00imPHBVSyFnA+yeiMfr5ce3VyrLXSjMsPbCEGt5TRqYfIFqr0ThhGj424Yuv:1Xwnu2FT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ksomisc.exe (PID: 4580)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 476)

    • Application was injected by another process

      • explorer.exe (PID: 4772)

    • Runs injected code in another process

      • pintaskbar.exe (PID: 4880)
      • pintaskbar.exe (PID: 1040)
      • pintaskbar.exe (PID: 1976)

    • Actions looks like stealing of personal data

      • wpscenter.exe (PID: 2460)

  • SUSPICIOUS

    • WPS mutex has been found

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • wpsupdate.exe (PID: 6768)
      • wps.exe (PID: 6308)
      • wpscloudsvr.exe (PID: 7060)

    • Reads security settings of Internet Explorer

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 4688)
      • ksomisc.exe (PID: 5884)
      • ksomisc.exe (PID: 2348)
      • ksomisc.exe (PID: 4748)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 5240)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 236)
      • ksomisc.exe (PID: 4684)
      • wpscloudsvr.exe (PID: 3736)
      • ksomisc.exe (PID: 6408)
      • wpscloudsvr.exe (PID: 3832)
      • ksomisc.exe (PID: 5724)
      • wpscloudsvr.exe (PID: 6320)
      • wpscloudsvr.exe (PID: 7068)
      • ksomisc.exe (PID: 4796)
      • ksomisc.exe (PID: 6460)
      • ksomisc.exe (PID: 6524)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 1044)
      • ksomisc.exe (PID: 6488)
      • ksomisc.exe (PID: 6176)
      • wps.exe (PID: 6940)
      • ksomisc.exe (PID: 3732)
      • ksomisc.exe (PID: 6676)
      • ksomisc.exe (PID: 1604)
      • ksomisc.exe (PID: 5012)
      • ksomisc.exe (PID: 3876)
      • ksomisc.exe (PID: 1944)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4456)
      • ksomisc.exe (PID: 476)
      • ksomisc.exe (PID: 4808)
      • wpscloudsvr.exe (PID: 4168)
      • ksomisc.exe (PID: 5464)
      • wpscloudsvr.exe (PID: 5368)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 2120)
      • ksomisc.exe (PID: 3392)
      • ksomisc.exe (PID: 856)
      • ksomisc.exe (PID: 4700)
      • wps.exe (PID: 5556)
      • ksomisc.exe (PID: 3896)
      • wpscloudsvr.exe (PID: 7060)
      • wps.exe (PID: 480)
      • wps.exe (PID: 6308)
      • ksomisc.exe (PID: 3756)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4644)
      • ksolaunch.exe (PID: 6260)
      • ksolaunch.exe (PID: 6788)
      • wpscloudsvr.exe (PID: 4168)
      • wpscloudsvr.exe (PID: 7064)
      • wps.exe (PID: 4864)
      • wps.exe (PID: 2668)
      • wps.exe (PID: 2168)
      • wps.exe (PID: 4264)
      • wps.exe (PID: 1576)
      • wps.exe (PID: 5244)
      • ksomisc.exe (PID: 6244)
      • wpscenter.exe (PID: 4648)
      • wpscenter.exe (PID: 2460)
      • ksomisc.exe (PID: 6364)
      • ksomisc.exe (PID: 2972)
      • wps.exe (PID: 320)
      • wpscenter.exe (PID: 2228)
      • ksomisc.exe (PID: 5556)
      • wps.exe (PID: 6796)
      • wpscenter.exe (PID: 3000)
      • ksomisc.exe (PID: 3760)

    • Process drops legitimate windows executable

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Executable content was dropped or overwritten

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • wpscloudsvr.exe (PID: 7060)
      • wps.exe (PID: 6308)
      • wps.exe (PID: 320)

    • The process drops C-runtime libraries

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • The process checks if it is being run in the virtual environment

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • There is functionality for taking screenshot (YARA)

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • The process creates files with name similar to system file names

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Process drops SQLite DLL files

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Creates a software uninstall entry

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Creates file in the systems drive root

      • ksomisc.exe (PID: 5884)
      • ksomisc.exe (PID: 4688)
      • ksomisc.exe (PID: 4748)
      • ksomisc.exe (PID: 2348)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 5240)
      • ksomisc.exe (PID: 236)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 4684)
      • ksomisc.exe (PID: 5724)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 4796)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 6524)
      • ksomisc.exe (PID: 6460)
      • ksomisc.exe (PID: 6488)
      • ksomisc.exe (PID: 1044)
      • ksomisc.exe (PID: 6176)
      • wps.exe (PID: 6940)
      • wps.exe (PID: 6584)
      • ksomisc.exe (PID: 3732)
      • ksomisc.exe (PID: 6676)
      • ksomisc.exe (PID: 5012)
      • ksomisc.exe (PID: 1604)
      • ksomisc.exe (PID: 1944)
      • ksomisc.exe (PID: 3876)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4456)
      • ksomisc.exe (PID: 476)
      • ksomisc.exe (PID: 4808)
      • ksomisc.exe (PID: 5464)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 3392)
      • ksomisc.exe (PID: 2120)
      • ksomisc.exe (PID: 856)
      • wps.exe (PID: 5556)
      • ksomisc.exe (PID: 4700)
      • ksomisc.exe (PID: 3896)
      • wps.exe (PID: 6308)
      • wpscloudsvr.exe (PID: 7060)
      • wps.exe (PID: 480)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 3756)
      • ksomisc.exe (PID: 4644)
      • wpscloudsvr.exe (PID: 4168)
      • wps.exe (PID: 4864)
      • wps.exe (PID: 1576)
      • wps.exe (PID: 2168)
      • wps.exe (PID: 4264)
      • wps.exe (PID: 2668)
      • wpscloudsvr.exe (PID: 7064)
      • wps.exe (PID: 6584)
      • wps.exe (PID: 5244)
      • wps.exe (PID: 5244)
      • wpscenter.exe (PID: 4648)
      • wpscenter.exe (PID: 2460)
      • ksomisc.exe (PID: 6364)
      • ksomisc.exe (PID: 6244)
      • wpscenter.exe (PID: 2228)
      • wps.exe (PID: 320)
      • ksomisc.exe (PID: 2972)
      • wps.exe (PID: 6796)
      • ksomisc.exe (PID: 5556)

    • The process verifies whether the antivirus software is installed

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Creates/Modifies COM task schedule object

      • ksomisc.exe (PID: 4580)
      • regsvr32.exe (PID: 3976)

    • Application launched itself

      • wps.exe (PID: 6940)
      • wps.exe (PID: 6308)
      • wps.exe (PID: 480)

    • Searches for installed software

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 3756)

    • Starts itself from another location

      • wpscloudsvr.exe (PID: 7060)

  • INFO

    • Reads the computer name

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 5884)
      • ksomisc.exe (PID: 4688)
      • ksomisc.exe (PID: 4748)
      • ksomisc.exe (PID: 2348)
      • ksomisc.exe (PID: 5240)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 236)
      • ksomisc.exe (PID: 4684)
      • wpscloudsvr.exe (PID: 3736)
      • ksomisc.exe (PID: 5724)
      • wpscloudsvr.exe (PID: 6320)
      • ksomisc.exe (PID: 6408)
      • wpscloudsvr.exe (PID: 3832)
      • ksomisc.exe (PID: 4796)
      • wpscloudsvr.exe (PID: 7068)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 6524)
      • ksomisc.exe (PID: 6460)
      • ksomisc.exe (PID: 1044)
      • ksomisc.exe (PID: 6488)
      • ksomisc.exe (PID: 6176)
      • wps.exe (PID: 6940)
      • ksomisc.exe (PID: 3732)
      • wps.exe (PID: 6584)
      • ksomisc.exe (PID: 5012)
      • ksomisc.exe (PID: 1604)
      • ksomisc.exe (PID: 6676)
      • ksomisc.exe (PID: 1944)
      • ksomisc.exe (PID: 3876)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4456)
      • wpsupdate.exe (PID: 4692)
      • ksomisc.exe (PID: 476)
      • wpsupdate.exe (PID: 6768)
      • ksomisc.exe (PID: 4808)
      • wpscloudsvr.exe (PID: 4168)
      • ksomisc.exe (PID: 5464)
      • wpscloudsvr.exe (PID: 5368)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 3392)
      • ksomisc.exe (PID: 2120)
      • ksomisc.exe (PID: 4700)
      • ksomisc.exe (PID: 856)
      • wps.exe (PID: 6308)
      • wps.exe (PID: 5556)
      • ksomisc.exe (PID: 3896)
      • wpscloudsvr.exe (PID: 7060)
      • ksomisc.exe (PID: 4644)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 3756)
      • wps.exe (PID: 480)
      • promecefpluginhost.exe (PID: 5464)
      • wpscloudsvr.exe (PID: 4168)
      • kwinappinstaller.exe (PID: 6772)
      • wps.exe (PID: 5244)
      • wpscloudsvr.exe (PID: 7064)
      • wps.exe (PID: 6584)
      • promecefpluginhost.exe (PID: 3852)
      • kwpswnsserver.exe (PID: 4944)
      • wpscenter.exe (PID: 4648)
      • wpscenter.exe (PID: 2460)
      • ksomisc.exe (PID: 6244)
      • wpscenter.exe (PID: 2228)
      • wps.exe (PID: 320)
      • ksomisc.exe (PID: 6364)
      • ksomisc.exe (PID: 2972)
      • ksomisc.exe (PID: 5556)

    • Reads the machine GUID from the registry

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 5884)
      • ksomisc.exe (PID: 4688)
      • ksomisc.exe (PID: 2348)
      • ksomisc.exe (PID: 4748)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 236)
      • ksomisc.exe (PID: 5240)
      • ksomisc.exe (PID: 4684)
      • wpscloudsvr.exe (PID: 3736)
      • ksomisc.exe (PID: 6408)
      • wpscloudsvr.exe (PID: 3832)
      • ksomisc.exe (PID: 5724)
      • wpscloudsvr.exe (PID: 6320)
      • ksomisc.exe (PID: 4796)
      • wpscloudsvr.exe (PID: 7068)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 6460)
      • ksomisc.exe (PID: 6524)
      • ksomisc.exe (PID: 1044)
      • ksomisc.exe (PID: 6176)
      • wps.exe (PID: 6940)
      • ksomisc.exe (PID: 6488)
      • ksomisc.exe (PID: 3732)
      • ksomisc.exe (PID: 6676)
      • ksomisc.exe (PID: 5012)
      • ksomisc.exe (PID: 1604)
      • ksomisc.exe (PID: 3876)
      • ksomisc.exe (PID: 1944)
      • ksomisc.exe (PID: 3760)
      • wpsupdate.exe (PID: 4692)
      • ksomisc.exe (PID: 476)
      • ksomisc.exe (PID: 4456)
      • wpsupdate.exe (PID: 6768)
      • ksomisc.exe (PID: 4808)
      • wpscloudsvr.exe (PID: 4168)
      • wpscloudsvr.exe (PID: 5368)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 5464)
      • ksomisc.exe (PID: 3392)
      • ksomisc.exe (PID: 2120)
      • ksomisc.exe (PID: 4700)
      • wps.exe (PID: 5556)
      • ksomisc.exe (PID: 856)
      • ksolaunch.exe (PID: 4888)
      • wps.exe (PID: 6308)
      • ksomisc.exe (PID: 3896)
      • wps.exe (PID: 480)
      • wpscloudsvr.exe (PID: 7060)
      • ksomisc.exe (PID: 4644)
      • ksomisc.exe (PID: 3756)
      • ksomisc.exe (PID: 3760)
      • ksolaunch.exe (PID: 6788)
      • ksolaunch.exe (PID: 6260)
      • wpscloudsvr.exe (PID: 4168)
      • wpscloudsvr.exe (PID: 7064)
      • promecefpluginhost.exe (PID: 5464)
      • promecefpluginhost.exe (PID: 3852)
      • wps.exe (PID: 4864)
      • wps.exe (PID: 1576)
      • wps.exe (PID: 4264)
      • wps.exe (PID: 2668)
      • wps.exe (PID: 2168)
      • wpscenter.exe (PID: 4648)
      • wps.exe (PID: 5244)
      • ksomisc.exe (PID: 6244)
      • wpscenter.exe (PID: 2460)
      • wpscenter.exe (PID: 2228)
      • ksomisc.exe (PID: 6364)
      • wps.exe (PID: 320)
      • ksomisc.exe (PID: 2972)
      • ksomisc.exe (PID: 5556)
      • wps.exe (PID: 6796)
      • wpscenter.exe (PID: 3000)
      • ksomisc.exe (PID: 3760)

    • Creates files or folders in the user directory

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 5884)
      • ksomisc.exe (PID: 4748)
      • ksomisc.exe (PID: 4688)
      • ksomisc.exe (PID: 2348)
      • ksomisc.exe (PID: 5240)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 236)
      • ksomisc.exe (PID: 4684)
      • ksomisc.exe (PID: 5724)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 4796)
      • ksomisc.exe (PID: 6460)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 6524)
      • ksomisc.exe (PID: 6488)
      • ksomisc.exe (PID: 1044)
      • ksomisc.exe (PID: 6176)
      • explorer.exe (PID: 4772)
      • wps.exe (PID: 6940)
      • ksomisc.exe (PID: 3732)
      • ksomisc.exe (PID: 5012)
      • ksomisc.exe (PID: 1604)
      • ksomisc.exe (PID: 6676)
      • ksomisc.exe (PID: 3876)
      • ksomisc.exe (PID: 1944)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4456)
      • OpenWith.exe (PID: 5900)
      • wpsupdate.exe (PID: 6768)
      • wpsupdate.exe (PID: 4692)
      • ksomisc.exe (PID: 476)
      • ksomisc.exe (PID: 4808)
      • ksomisc.exe (PID: 5464)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 3392)
      • ksomisc.exe (PID: 2120)
      • ksomisc.exe (PID: 856)
      • ksomisc.exe (PID: 4700)
      • ksomisc.exe (PID: 3896)
      • wps.exe (PID: 6308)
      • wpscloudsvr.exe (PID: 7060)
      • wps.exe (PID: 480)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4644)
      • ksomisc.exe (PID: 3756)
      • promecefpluginhost.exe (PID: 5464)
      • wpscloudsvr.exe (PID: 4168)
      • promecefpluginhost.exe (PID: 3852)
      • wpscloudsvr.exe (PID: 7064)
      • wps.exe (PID: 1576)
      • wps.exe (PID: 2168)
      • wps.exe (PID: 320)

    • Process checks computer location settings

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 4684)
      • ksomisc.exe (PID: 5724)
      • ksomisc.exe (PID: 4796)
      • ksomisc.exe (PID: 1044)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 3876)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 476)
      • ksomisc.exe (PID: 4808)
      • ksomisc.exe (PID: 5464)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 2120)
      • wps.exe (PID: 1576)
      • wps.exe (PID: 2168)
      • wps.exe (PID: 480)
      • wps.exe (PID: 5244)
      • wps.exe (PID: 4864)
      • ksomisc.exe (PID: 6244)

    • Reads the software policy settings

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • slui.exe (PID: 4112)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 2348)
      • ksomisc.exe (PID: 5884)
      • ksomisc.exe (PID: 4748)
      • ksomisc.exe (PID: 4688)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 5240)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 236)
      • ksomisc.exe (PID: 4684)
      • wpscloudsvr.exe (PID: 3736)
      • wpscloudsvr.exe (PID: 3832)
      • wpscloudsvr.exe (PID: 6320)
      • ksomisc.exe (PID: 5724)
      • ksomisc.exe (PID: 4796)
      • wpscloudsvr.exe (PID: 7068)
      • ksomisc.exe (PID: 6460)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 6524)
      • ksomisc.exe (PID: 1044)
      • ksomisc.exe (PID: 6488)
      • wps.exe (PID: 6940)
      • ksomisc.exe (PID: 6176)
      • ksomisc.exe (PID: 3732)
      • ksomisc.exe (PID: 6676)
      • ksomisc.exe (PID: 5012)
      • ksomisc.exe (PID: 1604)
      • ksomisc.exe (PID: 1944)
      • ksomisc.exe (PID: 3876)
      • OpenWith.exe (PID: 5900)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4456)
      • wpsupdate.exe (PID: 6768)
      • ksomisc.exe (PID: 476)
      • ksomisc.exe (PID: 4808)
      • wpscloudsvr.exe (PID: 4168)
      • ksomisc.exe (PID: 3948)
      • wpscloudsvr.exe (PID: 5368)
      • ksomisc.exe (PID: 5464)
      • ksomisc.exe (PID: 3392)
      • ksomisc.exe (PID: 2120)
      • ksomisc.exe (PID: 856)
      • ksomisc.exe (PID: 4700)
      • wps.exe (PID: 5556)
      • ksomisc.exe (PID: 3896)
      • wpscloudsvr.exe (PID: 7060)
      • wps.exe (PID: 6308)
      • ksomisc.exe (PID: 4644)
      • ksomisc.exe (PID: 3756)
      • ksomisc.exe (PID: 3760)
      • wps.exe (PID: 480)
      • ksolaunch.exe (PID: 6260)
      • ksolaunch.exe (PID: 6788)
      • wpscloudsvr.exe (PID: 4168)
      • wpscloudsvr.exe (PID: 7064)
      • wps.exe (PID: 4864)
      • wps.exe (PID: 1576)
      • wps.exe (PID: 2668)
      • wps.exe (PID: 2168)
      • wps.exe (PID: 4264)
      • wps.exe (PID: 5244)
      • wpscenter.exe (PID: 4648)
      • ksomisc.exe (PID: 6244)
      • wpscenter.exe (PID: 2460)
      • ksomisc.exe (PID: 6364)
      • wpscenter.exe (PID: 2228)
      • wps.exe (PID: 320)
      • ksomisc.exe (PID: 2972)
      • ksomisc.exe (PID: 5556)
      • wps.exe (PID: 6796)
      • wpscenter.exe (PID: 3000)
      • ksomisc.exe (PID: 3760)

    • Checks supported languages

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • ksomisc.exe (PID: 4688)
      • ksomisc.exe (PID: 2348)
      • ksomisc.exe (PID: 5884)
      • ksomisc.exe (PID: 4748)
      • ksomisc.exe (PID: 5240)
      • ksomisc.exe (PID: 4580)
      • ksomisc.exe (PID: 868)
      • ksomisc.exe (PID: 236)
      • ksomisc.exe (PID: 4684)
      • wpscloudsvr.exe (PID: 3736)
      • ksomisc.exe (PID: 5724)
      • ksomisc.exe (PID: 6408)
      • wpscloudsvr.exe (PID: 6320)
      • wpscloudsvr.exe (PID: 3832)
      • ksomisc.exe (PID: 4796)
      • wpscloudsvr.exe (PID: 7068)
      • ksomisc.exe (PID: 6460)
      • ksomisc.exe (PID: 3948)
      • ksomisc.exe (PID: 6524)
      • pintaskbar.exe (PID: 4880)
      • ksomisc.exe (PID: 6488)
      • ksomisc.exe (PID: 6176)
      • wps.exe (PID: 6940)
      • wps.exe (PID: 6584)
      • ksomisc.exe (PID: 3732)
      • ksomisc.exe (PID: 6676)
      • ksomisc.exe (PID: 1604)
      • ksomisc.exe (PID: 5012)
      • ksomisc.exe (PID: 3876)
      • ksomisc.exe (PID: 1944)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 4456)
      • wpsupdate.exe (PID: 4692)
      • wpsupdate.exe (PID: 6768)
      • ksomisc.exe (PID: 1044)
      • ksomisc.exe (PID: 476)
      • ksomisc.exe (PID: 4808)
      • wpscloudsvr.exe (PID: 4168)
      • ksomisc.exe (PID: 5464)
      • wpscloudsvr.exe (PID: 5368)
      • ksomisc.exe (PID: 3948)
      • pintaskbar.exe (PID: 1040)
      • ksomisc.exe (PID: 2120)
      • pintaskbar.exe (PID: 1976)
      • ksomisc.exe (PID: 856)
      • ksomisc.exe (PID: 3392)
      • ksomisc.exe (PID: 4700)
      • wps.exe (PID: 5556)
      • ksomisc.exe (PID: 3896)
      • ksolaunch.exe (PID: 4888)
      • wps.exe (PID: 6308)
      • wps.exe (PID: 480)
      • wpscloudsvr.exe (PID: 7060)
      • ksomisc.exe (PID: 4644)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 3756)
      • ksolaunch.exe (PID: 6260)
      • wpscloudsvr.exe (PID: 7064)
      • wpscloudsvr.exe (PID: 4168)
      • ksolaunch.exe (PID: 6788)
      • promecefpluginhost.exe (PID: 5464)
      • promecefpluginhost.exe (PID: 3852)
      • wps.exe (PID: 4864)
      • wps.exe (PID: 1576)
      • wps.exe (PID: 2668)
      • wps.exe (PID: 2168)
      • wps.exe (PID: 4264)
      • kwinappinstaller.exe (PID: 6772)
      • wps.exe (PID: 6584)
      • wps.exe (PID: 5244)
      • wps.exe (PID: 5244)
      • wpscenter.exe (PID: 4648)
      • kwpswnsserver.exe (PID: 4944)
      • ksomisc.exe (PID: 6244)
      • wpscenter.exe (PID: 2460)
      • ksomisc.exe (PID: 6364)
      • wps.exe (PID: 320)
      • ksomisc.exe (PID: 2972)
      • wpscenter.exe (PID: 2228)
      • wps.exe (PID: 6796)
      • wpscenter.exe (PID: 3000)
      • ksomisc.exe (PID: 3760)
      • ksomisc.exe (PID: 5556)

    • Creates files in the program directory

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Checks proxy server information

      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • slui.exe (PID: 4112)
      • OpenWith.exe (PID: 5900)
      • wpsupdate.exe (PID: 6768)
      • wpsupdate.exe (PID: 4692)
      • wps.exe (PID: 480)

    • Create files in a temporary directory

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)
      • wps_lid.lid-u8lkKOAmNwk0.exe (PID: 1392)
      • ksomisc.exe (PID: 1044)
      • wps.exe (PID: 480)
      • wpscloudsvr.exe (PID: 4168)

    • The sample compiled with english language support

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • The sample compiled with japanese language support

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • The sample compiled with chinese language support

      • 3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe (PID: 2632)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • OpenWith.exe (PID: 5900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:22 06:55:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 4226048
InitializedDataSize: 1552896
UninitializedDataSize: -
EntryPoint: 0x2b9847
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 12.2.0.21563
ProductVersionNumber: 12.2.0.21563
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription: WPS Office Setup
FileVersion: 12,2,0,21563
InternalName: konlinesetup_xa
LegalCopyright: Copyright©2025 Kingsoft Corporation. All rights reserved.
OriginalFileName: konlinesetup_xa.exe
ProductName: WPS Office
ProductVersion: 12,2,0,21563
MIMEType: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
245
Monitored processes
99
Malicious processes
9
Suspicious processes
9

Behavior graph

Click at the process to see the details
start wps_lid.lid-u8lkkoamnwk0.exe 3a0deb49e43300299beaae7c87e710cb-15_setup_xa_mui_free.exe.601.1074.exe slui.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe pintaskbar.exe no specs ksomisc.exe wps.exe wps.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe openwith.exe ksomisc.exe ksomisc.exe wpsupdate.exe wpsupdate.exe regsvr32.exe no specs ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe pintaskbar.exe no specs pintaskbar.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe wps.exe no specs ksolaunch.exe no specs wps.exe wpscloudsvr.exe wps.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksolaunch.exe no specs ksolaunch.exe no specs wpscloudsvr.exe wpscloudsvr.exe promecefpluginhost.exe no specs promecefpluginhost.exe wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs kwinappinstaller.exe no specs kwpswnsserver.exe no specs wps.exe no specs wpscenter.exe ksomisc.exe wpscenter.exe ksomisc.exe wpscenter.exe wps.exe ksomisc.exe ksomisc.exe wps.exe no specs wpscenter.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\\office6\ksomisc.exe" -setappcapC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
320"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\wps.exe" Run C:\Users\admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/upwpsupdate_1.1.2025.1/repsvr.dll -upofficeC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\wps.exe
wps.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office
Exit code:
0
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\wps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
420"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\kmso2pdfplugins64.dll"C:\Windows\SysWOW64\regsvr32.exeksomisc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
476"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe" -regmso2pdfpluginsC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
480"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\wps.exe" Run "C:/Users/admin/AppData/Local/Kingsoft/WPS Office/12.2.0.21931/office6/addons/kcef/jsapibrowser.dll" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.21931.21232f297a57a5a7.dpi1.pipe --rendererswitchflag=0C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\wps.exewps.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\wps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
760"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe" -sendDc ZmVhdHVyZV9yZXBzdnJfaW5mbzphY3Rpb258dXBvZmZpY2Vjb3B5ZmlsZXRyYW5zYWN0aW9uO2V4dF9wMHwwO2V4dF9wMXwwO2V4dF9wMnw7ZXh0X3AzfDA7ZXh0X3A0fDYzO2V4dF9wNXxvZmZpY2U2XHdwc3VwZGF0ZS5leGU7ZXh0X3A2fG9mZmljZTZcd3BzdXBkYXRlLmV4ZTtwbHVnaW5fbmFtZXx1cHdwc3VwZGF0ZV8xLjEuMjAyNS4x 0 0C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exewps.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
856"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe" -rebuildiconC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
868"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe" -regprogid trueC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
1040"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\pinTaskbar.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WPS Office.lnk" 51606C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\pintaskbar.exeksomisc.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Exit code:
0
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\pintaskbar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1044"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermodeC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.21931\office6\ksomisc.exe
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,21931
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.21931\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
Total events
297 684
Read events
292 275
Write events
4 011
Delete events
1 398

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000702BE
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000090272
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000007025A
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001C0022
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(1392) wps_lid.lid-u8lkKOAmNwk0.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:onlinesetup_penetrate_id_type
Value:
web
(PID) Process:(1392) wps_lid.lid-u8lkKOAmNwk0.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:onlinesetup_penetrate_id
Value:
lid-u8lkKOAmNwk0
(PID) Process:(1392) wps_lid.lid-u8lkKOAmNwk0.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:startup_time
Value:
2025-08-01 20
(PID) Process:(1392) wps_lid.lid-u8lkKOAmNwk0.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:global_progress
Value:
startup
(PID) Process:(1392) wps_lid.lid-u8lkKOAmNwk0.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\Office\6.0\Common
Operation:writeName:newGuideShow
Value:
1
(PID) Process:(1392) wps_lid.lid-u8lkKOAmNwk0.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:global_progress
Value:
download_start
Executable files
425
Suspicious files
631
Text files
2 518
Unknown types
799

Dropped files

PID
Process
Filename
Type
1392wps_lid.lid-u8lkKOAmNwk0.exeC:\ProgramData\WPS\Installers\3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
MD5:
SHA256:
26323a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exeC:\Users\admin\AppData\Local\Temp\wps\~190bbe\CONTROL\prereadimages_et.txt
MD5:
SHA256:
26323a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exeC:\Users\admin\AppData\Local\Temp\wps\~190bbe\CONTROL\prereadimages_pdf.txt
MD5:
SHA256:
26323a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exeC:\Users\admin\AppData\Local\Temp\wps\~190bbe\CONTROL\prereadimages_prometheus.txt
MD5:
SHA256:
26323a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exeC:\Users\admin\AppData\Local\Temp\wps\~190bbe\CONTROL\prereadimages_prome_init.txt
MD5:
SHA256:
26323a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exeC:\Users\admin\AppData\Local\Temp\wps\~190bbe\CONTROL\prereadimages_qing.txt
MD5:
SHA256:
26323a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exeC:\Users\admin\AppData\Local\Temp\wps\~190bbe\CONTROL\prereadimages_wpp.txt
MD5:
SHA256:
26323a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exeC:\Users\admin\AppData\Local\Temp\wps\~190bbe\CONTROL\prereadimages_wps.txt
MD5:
SHA256:
4772explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
1392wps_lid.lid-u8lkKOAmNwk0.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:DE8EABD06BE4A0CA8FEBAD85452A8AA2
SHA256:936EED70CB3ADBACF694565C79D464E49854419275B21ED063D101D25BF7070B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
141
DNS requests
50
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5644
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1392
wps_lid.lid-u8lkKOAmNwk0.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA9S8pUz7rrUEVA2eU7hB08%3D
unknown
whitelisted
1392
wps_lid.lid-u8lkKOAmNwk0.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
3944
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1392
wps_lid.lid-u8lkKOAmNwk0.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
2940
svchost.exe
GET
200
104.76.201.34:80
http://x1.c.lencr.org/
unknown
whitelisted
1976
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.10.155:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3944
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7064
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1392
wps_lid.lid-u8lkKOAmNwk0.exe
142.250.186.142:443
www.google-analytics.com
GOOGLE
US
whitelisted
1392
wps_lid.lid-u8lkKOAmNwk0.exe
90.84.175.86:443
params.wps.com
Orange
FR
whitelisted
1392
wps_lid.lid-u8lkKOAmNwk0.exe
163.53.19.10:443
wdl1.pcfg.cache.wpscdn.com
STARCLOUD GLOBAL PTE., LTD.
HK
unknown
4
System
192.168.100.255:138
whitelisted
5644
svchost.exe
40.126.31.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5644
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.google-analytics.com
  • 142.250.186.142
whitelisted
params.wps.com
  • 90.84.175.86
whitelisted
wdl1.pcfg.cache.wpscdn.com
  • 163.53.19.10
unknown
api.wps.com
  • 90.84.175.86
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.128
  • 20.190.159.23
  • 40.126.31.67
  • 20.190.159.130
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.3
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.130
  • 40.126.32.140
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 2.16.10.155
  • 2.16.10.152
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
Process
Message
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
[kscreen] isElide:0 switchRec:0 switchRecElide:1
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_BrandAreaWidget", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
3a0deb49e43300299beaae7c87e710cb-15_setup_XA_mui_Free.exe.601.1074.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wps_lid.lid-u8lkKOAmNwk0.exe