URL:

http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/upgrade/11.2.0.9232/diffpatch/diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe,

Full analysis: https://app.any.run/tasks/9db85102-b33d-4ec3-b36b-f8f733537e63
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 19, 2020, 15:59:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

89256294538A64572F22C0368DBFAFF7

SHA1:

EE3F1D85D3E747881B21E0A76B72CE84E8549725

SHA256:

9A9FBE4283A3EF90D1898BC79793D69A35DAEBE73E2C782E438CEEC17EB36E7B

SSDEEP:

3:N1KJBaWjNRoTJVGJbWDxdeZMDJLYesMcLbKg6jVgAYiXRJMLhNJ:CSWxMVGJ6sZMDdYjM6OxDXRJML9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 1500)
      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 3328)
      • ksomisc.exe (PID: 2892)
      • wpscloudsvr.exe (PID: 3952)
      • ksomisc.exe (PID: 3284)
      • ksomisc.exe (PID: 3312)
      • ksomisc.exe (PID: 2844)
      • ksomisc.exe (PID: 2956)
      • ksomisc.exe (PID: 376)
      • ksomisc.exe (PID: 2140)
      • ksomisc.exe (PID: 3052)
      • ksomisc.exe (PID: 1256)
      • ksomisc.exe (PID: 2072)
      • ksomisc.exe (PID: 3676)
      • ksomisc.exe (PID: 3364)
      • ksomisc.exe (PID: 3672)
      • ksomisc.exe (PID: 2428)
      • ksomisc.exe (PID: 1836)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3824)

    • Changes settings of System certificates

      • wpscloudsvr.exe (PID: 3952)
      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 3328)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2976)
      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 3328)

    • Creates files in the user directory

      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 1500)

    • Application launched itself

      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 1500)

    • Reads Internet Cache Settings

      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 3328)

    • Creates a software uninstall entry

      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 1500)

    • Adds / modifies Windows certificates

      • wpscloudsvr.exe (PID: 3952)
      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 3328)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3824)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3824)
      • iexplore.exe (PID: 2976)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2976)

    • Changes internet zones settings

      • iexplore.exe (PID: 2976)

    • Dropped object may contain Bitcoin addresses

      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 3328)

    • Reads settings of System Certificates

      • diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe (PID: 3328)
      • wpscloudsvr.exe (PID: 3952)
      • iexplore.exe (PID: 2976)

    • Creates files in the user directory

      • iexplore.exe (PID: 2976)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2976)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start iexplore.exe iexplore.exe diff_mui_11.2.0.9085_free_new_startpage_to_11.2.0.9232_free.exe diff_mui_11.2.0.9085_free_new_startpage_to_11.2.0.9232_free.exe ksomisc.exe no specs wpscloudsvr.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs ksomisc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -AssowordC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1256"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -compatiblemsoC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1500"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
iexplore.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Install Application
Exit code:
0
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\diff_mui_11.2.0.9085_free_new_startpage_to_11.2.0.9232_free.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1836"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -sendinstalldyn 5C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2072"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -checkcompatiblemsoC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2140"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -AssoexcelC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2428"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -updatetaskbarpin 262144 -forceperusermode -forceperusermodeC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2844"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -registerC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2892"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exe" -setlng en_USC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2956"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\\office6\ksomisc.exe" -setappcapC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.9232\office6\ksomisc.exediff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
HIGH
Description:
WPS Office Module
Exit code:
3221225781
Version:
11,2,0,9232
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.9232\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
6 311
Read events
1 099
Write events
3 939
Delete events
1 273

Modification events

(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
2153713660
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30801415
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
21
Suspicious files
333
Text files
197
Unknown types
46

Dropped files

PID
Process
Filename
Type
2976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB17DF05088675AD0.TMP
MD5:
SHA256:
3824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free[1].exe
MD5:
SHA256:
3824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe.bhbvdjo.partial
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe.bhbvdjo.partial:Zone.Identifier
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Temp\CabD61.tmp
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Temp\TarD62.tmp
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDB1.tmp
MD5:
SHA256:
3328diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exeC:\Users\admin\AppData\Local\Temp\wps\~a712ff\CONTROL\prereadimages_et.txt
MD5:
SHA256:
3328diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exeC:\Users\admin\AppData\Local\Temp\wps\~a712ff\CONTROL\prereadimages_prometheus.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
16
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3824
iexplore.exe
GET
404
103.38.144.120:80
http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/upgrade/11.2.0.9232/diffpatch/diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe,
HK
html
571 b
malicious
3328
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
GET
200
93.184.220.29:80
http://ocsp1.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAvseGjyi5huKs%2FWs8uiWS4%3D
US
der
471 b
whitelisted
2976
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3328
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D
US
der
1.47 Kb
whitelisted
3328
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
der
471 b
whitelisted
2976
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3824
iexplore.exe
GET
200
103.38.144.120:80
http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/upgrade/11.2.0.9232/diffpatch/diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
HK
executable
12.6 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3824
iexplore.exe
103.38.144.120:80
wdl1.pcfg.cache.wpscdn.com
Livecom Limited
HK
suspicious
2976
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2976
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3328
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
52.36.223.158:443
api-web-param-us.wps.com
Amazon.com, Inc.
US
unknown
2976
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2976
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3328
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
wdl1.pcfg.cache.wpscdn.com
  • 103.38.144.120
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api-web-param-us.wps.com
  • 52.36.223.158
  • 54.148.229.152
  • 52.33.222.78
  • 50.112.171.73
  • 34.208.223.143
  • 54.187.59.248
suspicious
ocsp1.digicert.com
  • 93.184.220.29
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

PID
Process
Class
Message
3824
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
[kscreen] isElide:0 switchRec:0 switchRecElide:1
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
[kscreen] now screensaver is
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
unregister dll path:qingshellext.dll
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
unregister dll path:qingshellext.dll
diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe
unInstall qingshellex success!
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/upgrade/11.2.0.9232/diffpatch/diff_mui_11.2.0.9085_Free_new_startpage_to_11.2.0.9232_Free.exe,