File name:

wps_lid.lid-s8Cl2MJuCAw3.exe

Full analysis: https://app.any.run/tasks/6e39b0b3-9ff8-4a42-9b32-dd671a538602
Verdict: Malicious activity
Analysis date: November 09, 2025, 03:37:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
wps
anti-evasion
maldoc-17
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

37302C89A345E30233A180045D67AFB6

SHA1:

3BC2C29B054CDBAD9B9D427CDFC1BF23FD54633E

SHA256:

A848953BA991AF275B46627165714778F8E465EFC8A8F9D9A5C2143D6B087F52

SSDEEP:

98304:Vns08NGObHPCVooCZsf+sUokH3Tu2Yy4yfQl+5Tarzf5/Q+IqRDHta7ShlAjGIhd:MuHJe6Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ksomisc.exe (PID: 5040)
      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 5580)

    • Runs injected code in another process

      • pintaskbar.exe (PID: 7324)
      • pintaskbar.exe (PID: 3156)
      • pintaskbar.exe (PID: 3984)
      • pintaskbar.exe (PID: 2964)
      • pintaskbar.exe (PID: 1508)
      • pintaskbar.exe (PID: 1376)
      • pintaskbar.exe (PID: 1132)
      • pintaskbar.exe (PID: 7252)
      • pintaskbar.exe (PID: 5540)
      • pintaskbar.exe (PID: 7328)
      • pintaskbar.exe (PID: 6400)

    • Application was injected by another process

      • explorer.exe (PID: 6484)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • ksomisc.exe (PID: 7596)
      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 7728)
      • ksomisc.exe (PID: 7696)
      • ksomisc.exe (PID: 7932)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 8120)
      • ksomisc.exe (PID: 204)
      • ksomisc.exe (PID: 8020)
      • ksomisc.exe (PID: 8176)
      • ksomisc.exe (PID: 5472)
      • wpscloudsvr.exe (PID: 2772)
      • ksomisc.exe (PID: 4416)
      • wpscloudsvr.exe (PID: 5172)
      • wpscloudsvr.exe (PID: 6356)
      • ksomisc.exe (PID: 6904)
      • wpscloudsvr.exe (PID: 7952)
      • ksomisc.exe (PID: 7860)
      • ksomisc.exe (PID: 6244)
      • ksomisc.exe (PID: 2760)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 3156)
      • ksomisc.exe (PID: 5508)
      • ksomisc.exe (PID: 2580)
      • ksomisc.exe (PID: 7328)
      • ksomisc.exe (PID: 5400)
      • wps.exe (PID: 6400)
      • ksomisc.exe (PID: 1376)
      • ksomisc.exe (PID: 5764)
      • ksomisc.exe (PID: 6872)
      • ksomisc.exe (PID: 1792)
      • ksomisc.exe (PID: 7172)
      • ksomisc.exe (PID: 7688)
      • ksomisc.exe (PID: 7620)
      • ksomisc.exe (PID: 1384)
      • wpscloudsvr.exe (PID: 7628)
      • ksomisc.exe (PID: 7732)
      • ksomisc.exe (PID: 2384)
      • ksomisc.exe (PID: 7956)
      • ksomisc.exe (PID: 4792)
      • kstartscreenpinchecker64.exe (PID: 5480)
      • wps.exe (PID: 4316)
      • ksomisc.exe (PID: 3100)
      • ksomisc.exe (PID: 6504)
      • wpscloudsvr.exe (PID: 7620)
      • ksomisc.exe (PID: 8064)
      • wps.exe (PID: 7896)
      • ksolaunch.exe (PID: 6108)
      • ksomisc.exe (PID: 7720)
      • wpscloudsvr.exe (PID: 5472)
      • wpscloudsvr.exe (PID: 2880)
      • ksomisc.exe (PID: 7776)

    • The process drops C-runtime libraries

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • WPS mutex has been found

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • wpsupdate.exe (PID: 7780)
      • wps.exe (PID: 7224)
      • wpscloudsvr.exe (PID: 7620)

    • Process drops legitimate windows executable

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Executable content was dropped or overwritten

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 5580)
      • wps.exe (PID: 7224)
      • wpscloudsvr.exe (PID: 7620)

    • The process checks if it is being run in the virtual environment

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • The process creates files with name similar to system file names

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • wpscloudsvr.exe (PID: 7620)

    • Process drops SQLite DLL files

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Write to the desktop.ini file (may be used to cloak folders)

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • There is functionality for taking screenshot (YARA)

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Creates file in the systems drive root

      • ksomisc.exe (PID: 7596)
      • ksomisc.exe (PID: 7696)
      • ksomisc.exe (PID: 7728)
      • ksomisc.exe (PID: 7932)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 8120)
      • ksomisc.exe (PID: 8020)
      • ksomisc.exe (PID: 204)
      • ksomisc.exe (PID: 5472)
      • ksomisc.exe (PID: 8176)
      • ksomisc.exe (PID: 4416)
      • ksomisc.exe (PID: 6904)
      • ksomisc.exe (PID: 6244)
      • ksomisc.exe (PID: 2760)
      • ksomisc.exe (PID: 7860)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 3156)
      • ksomisc.exe (PID: 2580)
      • ksomisc.exe (PID: 5508)
      • ksomisc.exe (PID: 7328)
      • wps.exe (PID: 6400)
      • ksomisc.exe (PID: 5400)
      • wps.exe (PID: 480)
      • ksomisc.exe (PID: 1376)
      • ksomisc.exe (PID: 5764)
      • ksomisc.exe (PID: 6872)
      • ksomisc.exe (PID: 7172)
      • ksomisc.exe (PID: 1792)
      • ksomisc.exe (PID: 7720)
      • ksomisc.exe (PID: 7688)
      • ksomisc.exe (PID: 7620)
      • ksomisc.exe (PID: 7936)
      • ksomisc.exe (PID: 7776)
      • ksomisc.exe (PID: 1384)
      • ksomisc.exe (PID: 2384)
      • ksomisc.exe (PID: 7732)
      • ksomisc.exe (PID: 5580)
      • ksomisc.exe (PID: 7956)
      • ksomisc.exe (PID: 3420)
      • ksomisc.exe (PID: 4792)
      • ksomisc.exe (PID: 2388)
      • ksomisc.exe (PID: 3100)
      • wps.exe (PID: 4316)
      • ksomisc.exe (PID: 6504)
      • wps.exe (PID: 7224)
      • wpscloudsvr.exe (PID: 7620)
      • wps.exe (PID: 7896)
      • ksomisc.exe (PID: 7720)
      • ksomisc.exe (PID: 6376)
      • ksomisc.exe (PID: 8064)
      • wps.exe (PID: 7332)
      • wps.exe (PID: 6456)
      • wps.exe (PID: 7908)
      • wps.exe (PID: 7324)
      • wps.exe (PID: 6124)
      • wps.exe (PID: 3080)
      • wpscloudsvr.exe (PID: 5472)
      • wps.exe (PID: 2820)
      • wpscloudsvr.exe (PID: 2880)
      • wps.exe (PID: 6232)

    • The process verifies whether the antivirus software is installed

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Creates/Modifies COM task schedule object

      • ksomisc.exe (PID: 5040)

    • Application launched itself

      • wps.exe (PID: 6400)
      • wps.exe (PID: 7224)
      • wps.exe (PID: 7896)

    • Searches for installed software

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

  • INFO

    • Reads the computer name

      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 7728)
      • ksomisc.exe (PID: 7596)
      • ksomisc.exe (PID: 7696)
      • ksomisc.exe (PID: 7932)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 8120)
      • ksomisc.exe (PID: 8020)
      • ksomisc.exe (PID: 204)
      • wpscloudsvr.exe (PID: 2772)
      • ksomisc.exe (PID: 8176)
      • ksomisc.exe (PID: 4416)
      • ksomisc.exe (PID: 5472)
      • wpscloudsvr.exe (PID: 6356)
      • ksomisc.exe (PID: 6904)
      • wpscloudsvr.exe (PID: 7952)
      • wpscloudsvr.exe (PID: 5172)
      • ksomisc.exe (PID: 7860)
      • ksomisc.exe (PID: 2760)
      • ksomisc.exe (PID: 6244)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 3156)
      • ksomisc.exe (PID: 2580)
      • ksomisc.exe (PID: 5508)
      • ksomisc.exe (PID: 7328)
      • ksomisc.exe (PID: 5400)
      • wps.exe (PID: 6400)
      • wps.exe (PID: 480)
      • ksomisc.exe (PID: 1376)
      • ksomisc.exe (PID: 5764)
      • ksomisc.exe (PID: 6872)
      • ksomisc.exe (PID: 7172)
      • ksomisc.exe (PID: 1792)
      • ksomisc.exe (PID: 7620)
      • ksomisc.exe (PID: 1384)
      • wpsupdate.exe (PID: 7780)
      • wpsupdate.exe (PID: 4360)
      • ksomisc.exe (PID: 2384)
      • wpscloudsvr.exe (PID: 4320)
      • ksomisc.exe (PID: 7956)
      • kstartscreenpinchecker64.exe (PID: 5480)
      • ksomisc.exe (PID: 2388)
      • wps.exe (PID: 4316)
      • wpscloudsvr.exe (PID: 7620)
      • ksomisc.exe (PID: 7720)
      • wps.exe (PID: 7896)
      • ksomisc.exe (PID: 6376)
      • wps.exe (PID: 6456)
      • promecefpluginhost.exe (PID: 2616)
      • wps.exe (PID: 7332)
      • ksomisc.exe (PID: 5580)

    • Process checks computer location settings

      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 204)
      • ksomisc.exe (PID: 8176)
      • ksomisc.exe (PID: 5472)
      • ksomisc.exe (PID: 4416)
      • ksomisc.exe (PID: 6904)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 7936)
      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 7732)
      • ksomisc.exe (PID: 7956)
      • kstartscreenpinchecker64.exe (PID: 5480)
      • ksomisc.exe (PID: 4792)
      • wps.exe (PID: 6124)

    • Checks supported languages

      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 7596)
      • ksomisc.exe (PID: 7728)
      • ksomisc.exe (PID: 7932)
      • ksomisc.exe (PID: 7696)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 8120)
      • ksomisc.exe (PID: 8020)
      • ksomisc.exe (PID: 204)
      • ksomisc.exe (PID: 8176)
      • wpscloudsvr.exe (PID: 2772)
      • ksomisc.exe (PID: 4416)
      • wpscloudsvr.exe (PID: 5172)
      • ksomisc.exe (PID: 5472)
      • wpscloudsvr.exe (PID: 6356)
      • ksomisc.exe (PID: 6904)
      • wpscloudsvr.exe (PID: 7952)
      • ksomisc.exe (PID: 7860)
      • ksomisc.exe (PID: 2760)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 3156)
      • ksomisc.exe (PID: 6244)
      • pintaskbar.exe (PID: 7324)
      • ksomisc.exe (PID: 2580)
      • ksomisc.exe (PID: 5508)
      • ksomisc.exe (PID: 7328)
      • wps.exe (PID: 6400)
      • wps.exe (PID: 480)
      • ksomisc.exe (PID: 5400)
      • ksomisc.exe (PID: 5764)
      • ksomisc.exe (PID: 1376)
      • ksomisc.exe (PID: 6872)
      • ksomisc.exe (PID: 1792)
      • ksomisc.exe (PID: 7172)
      • ksomisc.exe (PID: 7688)
      • ksomisc.exe (PID: 7720)
      • ksomisc.exe (PID: 7620)
      • ksomisc.exe (PID: 7936)
      • ksomisc.exe (PID: 1384)
      • wpsupdate.exe (PID: 7780)
      • wpsupdate.exe (PID: 4360)
      • ksomisc.exe (PID: 5580)
      • wpscloudsvr.exe (PID: 4320)
      • ksomisc.exe (PID: 7732)
      • ksomisc.exe (PID: 4792)
      • ksomisc.exe (PID: 7956)
      • ksomisc.exe (PID: 3420)
      • pintaskbar.exe (PID: 2964)
      • pintaskbar.exe (PID: 3984)
      • kstartscreenpinchecker64.exe (PID: 5480)
      • pintaskbar.exe (PID: 1508)
      • ksomisc.exe (PID: 6504)
      • pintaskbar.exe (PID: 5540)
      • pintaskbar.exe (PID: 6400)
      • wps.exe (PID: 4316)
      • wpscloudsvr.exe (PID: 7620)
      • ksomisc.exe (PID: 6376)
      • ksomisc.exe (PID: 7720)
      • wps.exe (PID: 7896)
      • ksomisc.exe (PID: 8064)
      • ksolaunch.exe (PID: 2920)
      • promecefpluginhost.exe (PID: 2616)
      • kwinappinstaller.exe (PID: 6548)
      • wps.exe (PID: 7332)
      • promecefpluginhost.exe (PID: 5608)
      • wpscloudsvr.exe (PID: 2880)
      • wps.exe (PID: 6456)
      • wpscloudsvr.exe (PID: 5472)
      • wps.exe (PID: 7324)
      • wps.exe (PID: 6124)

    • Reads the machine GUID from the registry

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • ksomisc.exe (PID: 7596)
      • ksomisc.exe (PID: 7696)
      • ksomisc.exe (PID: 7728)
      • ksomisc.exe (PID: 7932)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 8120)
      • ksomisc.exe (PID: 8020)
      • ksomisc.exe (PID: 204)
      • ksomisc.exe (PID: 8176)
      • wpscloudsvr.exe (PID: 2772)
      • ksomisc.exe (PID: 5472)
      • wpscloudsvr.exe (PID: 5172)
      • wpscloudsvr.exe (PID: 6356)
      • ksomisc.exe (PID: 4416)
      • ksomisc.exe (PID: 6904)
      • wpscloudsvr.exe (PID: 7952)
      • ksomisc.exe (PID: 7860)
      • ksomisc.exe (PID: 6244)
      • ksomisc.exe (PID: 2760)
      • ksomisc.exe (PID: 2580)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 3156)
      • ksomisc.exe (PID: 5508)
      • ksomisc.exe (PID: 7328)
      • wps.exe (PID: 6400)
      • ksomisc.exe (PID: 5400)
      • ksomisc.exe (PID: 5764)
      • ksomisc.exe (PID: 1376)
      • ksomisc.exe (PID: 6872)
      • ksomisc.exe (PID: 1792)
      • ksomisc.exe (PID: 7172)
      • ksomisc.exe (PID: 7688)
      • ksomisc.exe (PID: 7720)
      • ksomisc.exe (PID: 7620)
      • wpsupdate.exe (PID: 7780)
      • ksomisc.exe (PID: 7776)
      • ksomisc.exe (PID: 1384)
      • wpsupdate.exe (PID: 4360)
      • ksomisc.exe (PID: 5580)
      • wpscloudsvr.exe (PID: 7628)
      • ksomisc.exe (PID: 7732)
      • ksomisc.exe (PID: 2384)
      • wpscloudsvr.exe (PID: 4320)
      • ksomisc.exe (PID: 7956)
      • ksomisc.exe (PID: 4792)
      • ksomisc.exe (PID: 3420)
      • ksomisc.exe (PID: 2388)
      • wps.exe (PID: 4316)
      • ksomisc.exe (PID: 6504)
      • wps.exe (PID: 7224)
      • ksomisc.exe (PID: 3100)
      • wps.exe (PID: 7896)
      • wpscloudsvr.exe (PID: 7620)
      • ksolaunch.exe (PID: 2920)
      • ksolaunch.exe (PID: 6108)
      • ksomisc.exe (PID: 8064)
      • ksomisc.exe (PID: 7720)
      • promecefpluginhost.exe (PID: 2616)
      • ksomisc.exe (PID: 6376)
      • wpscloudsvr.exe (PID: 5472)
      • wpscloudsvr.exe (PID: 2880)

    • Creates files or folders in the user directory

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • ksomisc.exe (PID: 7696)
      • ksomisc.exe (PID: 7728)
      • ksomisc.exe (PID: 7596)
      • ksomisc.exe (PID: 7932)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 204)
      • ksomisc.exe (PID: 8120)
      • ksomisc.exe (PID: 8020)
      • ksomisc.exe (PID: 8176)
      • ksomisc.exe (PID: 4416)
      • ksomisc.exe (PID: 5472)
      • ksomisc.exe (PID: 6904)
      • ksomisc.exe (PID: 7860)
      • ksomisc.exe (PID: 6244)
      • ksomisc.exe (PID: 2760)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 3156)
      • explorer.exe (PID: 6484)
      • ksomisc.exe (PID: 2580)
      • ksomisc.exe (PID: 5508)
      • ksomisc.exe (PID: 5400)
      • ksomisc.exe (PID: 7328)
      • ksomisc.exe (PID: 1376)
      • wps.exe (PID: 6400)
      • ksomisc.exe (PID: 5764)
      • ksomisc.exe (PID: 6872)
      • ksomisc.exe (PID: 1792)
      • ksomisc.exe (PID: 7172)
      • ksomisc.exe (PID: 7620)
      • ksomisc.exe (PID: 7688)
      • ksomisc.exe (PID: 7720)
      • ksomisc.exe (PID: 7936)
      • wpsupdate.exe (PID: 7780)
      • OpenWith.exe (PID: 2636)
      • ksomisc.exe (PID: 7776)
      • ksomisc.exe (PID: 1384)
      • wpsupdate.exe (PID: 4360)
      • ksomisc.exe (PID: 5580)
      • ksomisc.exe (PID: 2384)
      • ksomisc.exe (PID: 7732)
      • ksomisc.exe (PID: 3420)
      • ksomisc.exe (PID: 4792)
      • ksomisc.exe (PID: 7956)
      • ksomisc.exe (PID: 2388)
      • ksomisc.exe (PID: 6504)
      • wps.exe (PID: 7224)
      • ksomisc.exe (PID: 3100)
      • wpscloudsvr.exe (PID: 7620)
      • wps.exe (PID: 7896)
      • ksomisc.exe (PID: 7720)
      • ksomisc.exe (PID: 6376)
      • ksomisc.exe (PID: 8064)
      • promecefpluginhost.exe (PID: 5608)

    • The sample compiled with english language support

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • wpscloudsvr.exe (PID: 7620)

    • Reads the software policy settings

      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • slui.exe (PID: 2388)
      • ksomisc.exe (PID: 7596)
      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 7696)
      • ksomisc.exe (PID: 7728)
      • ksomisc.exe (PID: 7932)
      • ksomisc.exe (PID: 5040)
      • ksomisc.exe (PID: 8120)
      • ksomisc.exe (PID: 8020)
      • ksomisc.exe (PID: 204)
      • ksomisc.exe (PID: 8176)
      • wpscloudsvr.exe (PID: 2772)
      • ksomisc.exe (PID: 5472)
      • wpscloudsvr.exe (PID: 6356)
      • ksomisc.exe (PID: 4416)
      • wpscloudsvr.exe (PID: 5172)
      • ksomisc.exe (PID: 6904)
      • wpscloudsvr.exe (PID: 7952)
      • ksomisc.exe (PID: 7860)
      • ksomisc.exe (PID: 6244)
      • ksomisc.exe (PID: 2760)
      • ksomisc.exe (PID: 3156)
      • ksomisc.exe (PID: 7404)
      • ksomisc.exe (PID: 2580)
      • ksomisc.exe (PID: 5508)
      • ksomisc.exe (PID: 7328)
      • ksomisc.exe (PID: 5400)
      • wps.exe (PID: 6400)
      • ksomisc.exe (PID: 5764)
      • ksomisc.exe (PID: 1376)
      • ksomisc.exe (PID: 6872)
      • ksomisc.exe (PID: 1792)
      • ksomisc.exe (PID: 7172)
      • ksomisc.exe (PID: 7688)
      • ksomisc.exe (PID: 7720)
      • ksomisc.exe (PID: 7620)
      • OpenWith.exe (PID: 2636)
      • ksomisc.exe (PID: 1384)
      • ksomisc.exe (PID: 7936)
      • ksomisc.exe (PID: 7776)
      • ksomisc.exe (PID: 7732)
      • wpscloudsvr.exe (PID: 7628)
      • ksomisc.exe (PID: 2384)
      • wpscloudsvr.exe (PID: 4320)
      • ksomisc.exe (PID: 7956)
      • ksomisc.exe (PID: 4792)
      • ksomisc.exe (PID: 3420)
      • ksomisc.exe (PID: 3100)
      • wps.exe (PID: 4316)
      • ksomisc.exe (PID: 6504)
      • wps.exe (PID: 7224)
      • wps.exe (PID: 7896)
      • ksolaunch.exe (PID: 6108)
      • ksomisc.exe (PID: 6376)
      • ksomisc.exe (PID: 8064)
      • ksomisc.exe (PID: 7720)
      • ksolaunch.exe (PID: 2920)
      • wpscloudsvr.exe (PID: 2880)
      • wpscloudsvr.exe (PID: 5472)
      • wps.exe (PID: 6124)
      • ksomisc.exe (PID: 5580)

    • Checks proxy server information

      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • slui.exe (PID: 2388)
      • wps.exe (PID: 7896)

    • Creates files in the program directory

      • wps_lid.lid-s8Cl2MJuCAw3.exe (PID: 7388)
      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Create files in a temporary directory

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)
      • ksomisc.exe (PID: 7404)
      • wps.exe (PID: 7896)
      • wpscloudsvr.exe (PID: 5472)

    • The sample compiled with chinese language support

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • The sample compiled with japanese language support

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Creates a software uninstall entry

      • eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe (PID: 7884)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:08:18 07:42:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 4227584
InitializedDataSize: 1556480
UninitializedDataSize: -
EntryPoint: 0x2b9d57
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 12.2.0.21567
ProductVersionNumber: 12.2.0.21567
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription: WPS Office Setup
FileVersion: 12,2,0,21567
InternalName: konlinesetup_xa
LegalCopyright: Copyright©2025 Kingsoft Corporation. All rights reserved.
OriginalFileName: konlinesetup_xa.exe
ProductName: WPS Office
ProductVersion: 12,2,0,21567
MIMEType: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
252
Monitored processes
101
Malicious processes
5
Suspicious processes
19

Behavior graph

Click at the process to see the details
start wps_lid.lid-s8cl2mjucaw3.exe eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_xa_mui_free.exe.601.1115.exe slui.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe pintaskbar.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe wps.exe wps.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe openwith.exe ksomisc.exe ksomisc.exe wpsupdate.exe wpsupdate.exe regsvr32.exe no specs ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe kstartscreenpinchecker64.exe pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs pintaskbar.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe wps.exe no specs ksolaunch.exe no specs wps.exe wpscloudsvr.exe wps.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksolaunch.exe no specs ksolaunch.exe no specs promecefpluginhost.exe no specs wpscloudsvr.exe wpscloudsvr.exe wps.exe no specs wps.exe no specs kwinappinstaller.exe no specs promecefpluginhost.exe wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs kwpswnsserver.exe no specs wps.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
204"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe" -regprogid trueC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
480"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\wps.exe" CheckServiceC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\wps.exewps.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office
Exit code:
10
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\wps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
1132"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\pinTaskbar.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WPS Docs.lnk" 51606C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\pintaskbar.exeksomisc.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\pintaskbar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1376"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus -source=1C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
1376"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\pinTaskbar.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WPS PDF.lnk" 51606C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\pintaskbar.exeksomisc.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\pintaskbar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1384"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\\office6\ksomisc.exe" -assoepub -source=1C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
1508"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\pinTaskbar.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WPS Sheets.lnk" 51606C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\pintaskbar.exeksomisc.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\pintaskbar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1664 /s "C:\Users\admin\AppData\Roaming\Kingsoft\office6\msoaddins\x64\kmso2pdfplugins64_1.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1792"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe" -createsubmodulelink startmenu et -source=1C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
2384"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe" -regPreviewHandlerC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.23155\office6\ksomisc.exe
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,23155
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.23155\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
Total events
325 829
Read events
319 941
Write events
4 246
Delete events
1 642

Modification events

(PID) Process:(6484) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0258
Operation:writeName:VirtualDesktop
Value:
10000000303044565218B664F819E445A4336996568F0080
(PID) Process:(6484) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000050338
Operation:writeName:VirtualDesktop
Value:
10000000303044565218B664F819E445A4336996568F0080
(PID) Process:(6484) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000050330
Operation:writeName:VirtualDesktop
Value:
10000000303044565218B664F819E445A4336996568F0080
(PID) Process:(6484) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C02E6
Operation:writeName:VirtualDesktop
Value:
10000000303044565218B664F819E445A4336996568F0080
(PID) Process:(7388) wps_lid.lid-s8Cl2MJuCAw3.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:infoHdid
Value:
ca7bdcada05173334ed57443659aff06
(PID) Process:(7388) wps_lid.lid-s8Cl2MJuCAw3.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:onlinesetup_penetrate_id_type
Value:
web
(PID) Process:(7388) wps_lid.lid-s8Cl2MJuCAw3.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:onlinesetup_penetrate_id
Value:
lid-s8Cl2MJuCAw3
(PID) Process:(7388) wps_lid.lid-s8Cl2MJuCAw3.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:startup_time
Value:
2025-11-09 03
(PID) Process:(7388) wps_lid.lid-s8Cl2MJuCAw3.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:global_progress
Value:
startup
(PID) Process:(7388) wps_lid.lid-s8Cl2MJuCAw3.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\Office\6.0\Common
Operation:writeName:newGuideShow
Value:
1
Executable files
473
Suspicious files
1 524
Text files
2 500
Unknown types
30

Dropped files

PID
Process
Filename
Type
7388wps_lid.lid-s8Cl2MJuCAw3.exeC:\ProgramData\WPS\Installers\eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
MD5:
SHA256:
7884eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exeC:\Users\admin\AppData\Local\Temp\wps\~1658c3\CONTROL\prereadimages_et.txt
MD5:
SHA256:
7884eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exeC:\Users\admin\AppData\Local\Temp\wps\~1658c3\CONTROL\prereadimages_pdf.txt
MD5:
SHA256:
7884eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exeC:\Users\admin\AppData\Local\Temp\wps\~1658c3\CONTROL\prereadimages_prometheus.txt
MD5:
SHA256:
7884eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exeC:\Users\admin\AppData\Local\Temp\wps\~1658c3\CONTROL\prereadimages_prome_init.txt
MD5:
SHA256:
7884eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exeC:\Users\admin\AppData\Local\Temp\wps\~1658c3\CONTROL\prereadimages_qing.txt
MD5:
SHA256:
7884eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exeC:\Users\admin\AppData\Local\Temp\wps\~1658c3\CONTROL\prereadimages_wpp.txt
MD5:
SHA256:
7884eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exeC:\Users\admin\AppData\Local\Temp\wps\~1658c3\CONTROL\prereadimages_wps.txt
MD5:
SHA256:
7388wps_lid.lid-s8Cl2MJuCAw3.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:8D1CCB749E8AD91573BB2E53BA9AD7A1
SHA256:85E853C15142C44E518B80F730522576A1C8511C30949AB61291D4CFF83D3734
7388wps_lid.lid-s8Cl2MJuCAw3.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_660CACFBF957CBCC19C054A0402E41C3binary
MD5:A46E5721578921D1BDCEF74311C81F46
SHA256:74496548F367B15DB5720CDD24F3EFA44FE355F91C8BF235D881158BF72FDEE1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
151
DNS requests
50
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7388
wps_lid.lid-s8Cl2MJuCAw3.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
US
binary
471 b
whitelisted
7388
wps_lid.lid-s8Cl2MJuCAw3.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
US
binary
727 b
whitelisted
7388
wps_lid.lid-s8Cl2MJuCAw3.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA9S8pUz7rrUEVA2eU7hB08%3D
US
binary
727 b
whitelisted
5172
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
DE
binary
813 b
whitelisted
5172
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
DE
binary
814 b
whitelisted
5172
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
DE
binary
401 b
whitelisted
2792
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4916
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2792
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5040
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5596
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7388
wps_lid.lid-s8Cl2MJuCAw3.exe
142.250.186.46:443
www.google-analytics.com
GOOGLE
US
whitelisted
7388
wps_lid.lid-s8Cl2MJuCAw3.exe
90.84.175.86:443
params.wps.com
Orange
FR
whitelisted
7388
wps_lid.lid-s8Cl2MJuCAw3.exe
89.222.119.91:443
wdl1.pcfg.cache.wpscdn.com
Syntec LTD
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4916
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4916
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
www.google-analytics.com
  • 142.250.186.46
  • 142.250.186.78
whitelisted
params.wps.com
  • 90.84.175.86
whitelisted
wdl1.pcfg.cache.wpscdn.com
  • 89.222.119.91
unknown
api.wps.com
  • 90.84.175.86
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.67
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.140
  • 20.190.160.65
  • 40.126.32.133
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.138
whitelisted
s.wps.com
  • 90.84.175.86
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2276
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
[kscreen] isElide:0 switchRec:0 switchRecElide:1
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_BrandAreaWidget", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
eada1507f3f2d1ea38b4b3c1c06b0508-16_setup_XA_mui_Free.exe.601.1115.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wps_lid.lid-s8Cl2MJuCAw3.exe