File name:

2c373947-d782-4b30-bdd2-093e673d764e

Full analysis: https://app.any.run/tasks/ca94159b-9d0e-43f1-961f-5016559a188c
Verdict: Malicious activity
Analysis date: September 23, 2025, 14:17:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
wps
anti-evasion
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

E835C4F1A22BC52E9F4ED71E11C78906

SHA1:

583EFF97E90FD08CC6C1FA4EC78BE8BBAA0C43EA

SHA256:

B48EA038A1CCA95F2D3D7011B8BE258A2BD584E12FBFD3B39E418057D9DAD55F

SSDEEP:

98304:kKs0ezErO5Co+rum+pwv2Y2BX7nCCYsG13/o4bOISnRi7t80SJLdCTYLt1KyP9tT:0M6n0Ed

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ksomisc.exe (PID: 1872)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 5620)

    • Application was injected by another process

      • explorer.exe (PID: 4772)

    • Runs injected code in another process

      • pintaskbar.exe (PID: 620)
      • pintaskbar.exe (PID: 6504)
      • pintaskbar.exe (PID: 3576)

    • Actions looks like stealing of personal data

      • wpscenter.exe (PID: 1980)

  • SUSPICIOUS

    • WPS mutex has been found

      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • wpsupdate.exe (PID: 4808)
      • wps.exe (PID: 1388)
      • wpscloudsvr.exe (PID: 5184)
      • wps.exe (PID: 4832)

    • The process checks if it is being run in the virtual environment

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • Executable content was dropped or overwritten

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 5620)
      • wps.exe (PID: 1388)
      • wpscloudsvr.exe (PID: 5184)

    • Reads security settings of Internet Explorer

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 3968)
      • ksomisc.exe (PID: 1268)
      • ksomisc.exe (PID: 5300)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 1192)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 4544)
      • ksomisc.exe (PID: 2508)
      • wpscloudsvr.exe (PID: 360)
      • ksomisc.exe (PID: 2216)
      • wpscloudsvr.exe (PID: 5776)
      • ksomisc.exe (PID: 6900)
      • wpscloudsvr.exe (PID: 2112)
      • ksomisc.exe (PID: 4056)
      • wpscloudsvr.exe (PID: 864)
      • ksomisc.exe (PID: 888)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 320)
      • ksomisc.exe (PID: 6620)
      • ksomisc.exe (PID: 3872)
      • ksomisc.exe (PID: 2808)
      • wps.exe (PID: 3980)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 4172)
      • ksomisc.exe (PID: 3620)
      • ksomisc.exe (PID: 2648)
      • ksomisc.exe (PID: 2124)
      • ksomisc.exe (PID: 7000)
      • ksomisc.exe (PID: 6208)
      • ksomisc.exe (PID: 3588)
      • ksomisc.exe (PID: 5620)
      • wpscloudsvr.exe (PID: 4232)
      • ksomisc.exe (PID: 6412)
      • wpscloudsvr.exe (PID: 4744)
      • ksomisc.exe (PID: 5876)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 1844)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 1808)
      • ksomisc.exe (PID: 5556)
      • wps.exe (PID: 1100)
      • ksomisc.exe (PID: 6600)
      • wps.exe (PID: 1388)
      • wpscloudsvr.exe (PID: 5184)
      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • wps.exe (PID: 4832)
      • ksomisc.exe (PID: 3588)
      • ksomisc.exe (PID: 6788)
      • ksolaunch.exe (PID: 1028)
      • ksolaunch.exe (PID: 5240)
      • ksomisc.exe (PID: 1840)
      • wpscloudsvr.exe (PID: 4040)
      • wpscloudsvr.exe (PID: 1232)
      • wps.exe (PID: 6504)
      • wps.exe (PID: 6152)
      • wps.exe (PID: 3112)
      • wps.exe (PID: 6068)
      • wps.exe (PID: 5552)
      • wps.exe (PID: 6092)
      • wpscenter.exe (PID: 4044)
      • windowsappruntimeinstall.exe (PID: 5400)
      • wpscenter.exe (PID: 1980)
      • wps.exe (PID: 2400)
      • ksomisc.exe (PID: 6264)
      • ksomisc.exe (PID: 1468)
      • wpscenter.exe (PID: 7172)
      • wpscenter.exe (PID: 1232)
      • ksomisc.exe (PID: 7304)
      • ksomisc.exe (PID: 7284)
      • wpscenter.exe (PID: 7368)

    • There is functionality for taking screenshot (YARA)

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • Process drops SQLite DLL files

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • The process creates files with name similar to system file names

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • wpscloudsvr.exe (PID: 5184)

    • Creates a software uninstall entry

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • Creates file in the systems drive root

      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 3968)
      • ksomisc.exe (PID: 5300)
      • ksomisc.exe (PID: 1268)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 1192)
      • ksomisc.exe (PID: 2508)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 4544)
      • ksomisc.exe (PID: 2216)
      • ksomisc.exe (PID: 6900)
      • ksomisc.exe (PID: 4056)
      • ksomisc.exe (PID: 888)
      • ksomisc.exe (PID: 3872)
      • ksomisc.exe (PID: 6620)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 320)
      • ksomisc.exe (PID: 2808)
      • wps.exe (PID: 6304)
      • ksomisc.exe (PID: 1868)
      • wps.exe (PID: 3980)
      • ksomisc.exe (PID: 3620)
      • ksomisc.exe (PID: 2648)
      • ksomisc.exe (PID: 4172)
      • ksomisc.exe (PID: 2124)
      • ksomisc.exe (PID: 7000)
      • ksomisc.exe (PID: 6208)
      • ksomisc.exe (PID: 3588)
      • ksomisc.exe (PID: 5876)
      • ksomisc.exe (PID: 5620)
      • ksomisc.exe (PID: 6412)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 1844)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 1808)
      • wps.exe (PID: 1388)
      • wps.exe (PID: 1100)
      • ksomisc.exe (PID: 6600)
      • wpscloudsvr.exe (PID: 5184)
      • wps.exe (PID: 4832)
      • ksomisc.exe (PID: 5556)
      • ksomisc.exe (PID: 3588)
      • ksomisc.exe (PID: 1840)
      • ksomisc.exe (PID: 6788)
      • wpscloudsvr.exe (PID: 4040)
      • wpscloudsvr.exe (PID: 1232)
      • wps.exe (PID: 6068)
      • wps.exe (PID: 6152)
      • wps.exe (PID: 6504)
      • wps.exe (PID: 3112)
      • wps.exe (PID: 3396)
      • wps.exe (PID: 2432)
      • wps.exe (PID: 6092)
      • wps.exe (PID: 5552)
      • wpscenter.exe (PID: 1980)
      • wpscenter.exe (PID: 4044)
      • wps.exe (PID: 2400)
      • ksomisc.exe (PID: 6264)
      • ksomisc.exe (PID: 1468)
      • wpscenter.exe (PID: 1232)
      • wpscenter.exe (PID: 7172)

    • The process drops C-runtime libraries

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • Process drops legitimate windows executable

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • The process verifies whether the antivirus software is installed

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • Creates/Modifies COM task schedule object

      • ksomisc.exe (PID: 1872)
      • regsvr32.exe (PID: 6164)

    • Application launched itself

      • wps.exe (PID: 3980)
      • wps.exe (PID: 1388)
      • wps.exe (PID: 4832)

    • Searches for installed software

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 6788)

    • Found regular expressions for crypto-addresses (YARA)

      • ksomisc.exe (PID: 3588)

    • Starts itself from another location

      • wpscloudsvr.exe (PID: 5184)

  • INFO

    • Creates files or folders in the user directory

      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 3968)
      • ksomisc.exe (PID: 5300)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 1268)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 1192)
      • ksomisc.exe (PID: 2508)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 4544)
      • ksomisc.exe (PID: 2216)
      • ksomisc.exe (PID: 6900)
      • ksomisc.exe (PID: 4056)
      • OpenWith.exe (PID: 6688)
      • ksomisc.exe (PID: 888)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 320)
      • ksomisc.exe (PID: 6620)
      • ksomisc.exe (PID: 3872)
      • explorer.exe (PID: 4772)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 2808)
      • wps.exe (PID: 3980)
      • ksomisc.exe (PID: 4172)
      • ksomisc.exe (PID: 3620)
      • ksomisc.exe (PID: 2648)
      • ksomisc.exe (PID: 7000)
      • ksomisc.exe (PID: 2124)
      • ksomisc.exe (PID: 6208)
      • ksomisc.exe (PID: 3588)
      • wpsupdate.exe (PID: 4808)
      • wpsupdate.exe (PID: 4044)
      • ksomisc.exe (PID: 5620)
      • ksomisc.exe (PID: 5876)
      • ksomisc.exe (PID: 6412)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 1844)
      • ksomisc.exe (PID: 1808)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 6600)
      • wps.exe (PID: 1388)
      • ksomisc.exe (PID: 5556)
      • wps.exe (PID: 4832)
      • ksomisc.exe (PID: 1840)
      • wpscloudsvr.exe (PID: 5184)
      • ksomisc.exe (PID: 6788)
      • ksomisc.exe (PID: 3588)
      • wpscloudsvr.exe (PID: 4040)
      • wpscloudsvr.exe (PID: 1232)
      • wps.exe (PID: 6068)
      • wps.exe (PID: 6092)
      • wps.exe (PID: 5552)
      • promecefpluginhost.exe (PID: 2096)
      • wpscenter.exe (PID: 4044)
      • chromelauncher.exe (PID: 7224)

    • Reads the software policy settings

      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • slui.exe (PID: 5348)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 3968)
      • ksomisc.exe (PID: 5300)
      • ksomisc.exe (PID: 1192)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 1268)
      • ksomisc.exe (PID: 2508)
      • ksomisc.exe (PID: 4072)
      • wpscloudsvr.exe (PID: 360)
      • ksomisc.exe (PID: 4544)
      • ksomisc.exe (PID: 2216)
      • wpscloudsvr.exe (PID: 5776)
      • wpscloudsvr.exe (PID: 2112)
      • ksomisc.exe (PID: 4056)
      • ksomisc.exe (PID: 6900)
      • wpscloudsvr.exe (PID: 864)
      • OpenWith.exe (PID: 6688)
      • ksomisc.exe (PID: 888)
      • ksomisc.exe (PID: 320)
      • ksomisc.exe (PID: 3872)
      • ksomisc.exe (PID: 6620)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 2808)
      • wps.exe (PID: 3980)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 4172)
      • ksomisc.exe (PID: 3620)
      • ksomisc.exe (PID: 2648)
      • ksomisc.exe (PID: 6208)
      • ksomisc.exe (PID: 2124)
      • ksomisc.exe (PID: 7000)
      • ksomisc.exe (PID: 3588)
      • wpsupdate.exe (PID: 4808)
      • ksomisc.exe (PID: 5620)
      • ksomisc.exe (PID: 5876)
      • wpscloudsvr.exe (PID: 4232)
      • ksomisc.exe (PID: 6412)
      • wpscloudsvr.exe (PID: 4744)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 1844)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 1808)
      • wps.exe (PID: 1100)
      • ksomisc.exe (PID: 5556)
      • ksomisc.exe (PID: 6600)
      • wps.exe (PID: 1388)
      • wpscloudsvr.exe (PID: 5184)
      • wps.exe (PID: 4832)
      • ksomisc.exe (PID: 1840)
      • ksomisc.exe (PID: 6788)
      • ksolaunch.exe (PID: 5240)
      • ksomisc.exe (PID: 3588)
      • ksolaunch.exe (PID: 1028)
      • wpscloudsvr.exe (PID: 1232)
      • wpscloudsvr.exe (PID: 4040)
      • wps.exe (PID: 6068)
      • wps.exe (PID: 3112)
      • wps.exe (PID: 6504)
      • wps.exe (PID: 6152)
      • wps.exe (PID: 6092)
      • wps.exe (PID: 5552)
      • wpscenter.exe (PID: 4044)
      • wpscenter.exe (PID: 1980)
      • ksomisc.exe (PID: 6264)
      • wps.exe (PID: 2400)
      • ksomisc.exe (PID: 1468)
      • wpscenter.exe (PID: 7172)
      • wpscenter.exe (PID: 1232)
      • ksomisc.exe (PID: 7304)
      • wpscenter.exe (PID: 7368)
      • ksomisc.exe (PID: 7284)

    • Reads the computer name

      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 5300)
      • ksomisc.exe (PID: 3968)
      • ksomisc.exe (PID: 1268)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 1192)
      • ksomisc.exe (PID: 2508)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 4544)
      • wpscloudsvr.exe (PID: 360)
      • ksomisc.exe (PID: 2216)
      • wpscloudsvr.exe (PID: 5776)
      • ksomisc.exe (PID: 6900)
      • wpscloudsvr.exe (PID: 2112)
      • ksomisc.exe (PID: 4056)
      • wpscloudsvr.exe (PID: 864)
      • ksomisc.exe (PID: 888)
      • ksomisc.exe (PID: 320)
      • ksomisc.exe (PID: 6620)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 3872)
      • ksomisc.exe (PID: 2808)
      • wps.exe (PID: 3980)
      • wps.exe (PID: 6304)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 4172)
      • ksomisc.exe (PID: 3620)
      • ksomisc.exe (PID: 2648)
      • ksomisc.exe (PID: 7000)
      • ksomisc.exe (PID: 2124)
      • ksomisc.exe (PID: 6208)
      • ksomisc.exe (PID: 3588)
      • wpsupdate.exe (PID: 4808)
      • ksomisc.exe (PID: 5620)
      • ksomisc.exe (PID: 5876)
      • wpsupdate.exe (PID: 4044)
      • wpscloudsvr.exe (PID: 4232)
      • ksomisc.exe (PID: 6412)
      • wpscloudsvr.exe (PID: 4744)
      • ksomisc.exe (PID: 1844)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 1808)
      • wps.exe (PID: 1388)
      • wps.exe (PID: 1100)
      • ksomisc.exe (PID: 6600)
      • ksomisc.exe (PID: 5556)
      • wpscloudsvr.exe (PID: 5184)
      • ksomisc.exe (PID: 3588)
      • ksomisc.exe (PID: 6788)
      • ksomisc.exe (PID: 1840)
      • promecefpluginhost.exe (PID: 5432)
      • wpscloudsvr.exe (PID: 4040)
      • wpscloudsvr.exe (PID: 1232)
      • wps.exe (PID: 4832)
      • promecefpluginhost.exe (PID: 2096)
      • wps.exe (PID: 2432)
      • wps.exe (PID: 3396)
      • kwinappinstaller.exe (PID: 4676)
      • kwpswnsserver.exe (PID: 7032)
      • windowsappruntimeinstall.exe (PID: 5400)
      • wpscenter.exe (PID: 1980)
      • wps.exe (PID: 2400)
      • ksomisc.exe (PID: 6264)
      • wpscenter.exe (PID: 4044)
      • ksomisc.exe (PID: 1468)
      • wpscenter.exe (PID: 7172)
      • wpscenter.exe (PID: 1232)

    • Checks supported languages

      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 3968)
      • ksomisc.exe (PID: 5300)
      • ksomisc.exe (PID: 1268)
      • ksomisc.exe (PID: 1192)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 2508)
      • ksomisc.exe (PID: 4544)
      • wpscloudsvr.exe (PID: 360)
      • ksomisc.exe (PID: 2216)
      • wpscloudsvr.exe (PID: 5776)
      • ksomisc.exe (PID: 6900)
      • wpscloudsvr.exe (PID: 2112)
      • ksomisc.exe (PID: 4056)
      • wpscloudsvr.exe (PID: 864)
      • ksomisc.exe (PID: 888)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 320)
      • ksomisc.exe (PID: 3872)
      • ksomisc.exe (PID: 6620)
      • pintaskbar.exe (PID: 620)
      • ksomisc.exe (PID: 2808)
      • wps.exe (PID: 6304)
      • ksomisc.exe (PID: 1868)
      • wps.exe (PID: 3980)
      • ksomisc.exe (PID: 3620)
      • ksomisc.exe (PID: 2648)
      • ksomisc.exe (PID: 4172)
      • ksomisc.exe (PID: 2124)
      • ksomisc.exe (PID: 6208)
      • ksomisc.exe (PID: 7000)
      • ksomisc.exe (PID: 3588)
      • wpsupdate.exe (PID: 4808)
      • wpsupdate.exe (PID: 4044)
      • ksomisc.exe (PID: 5620)
      • wpscloudsvr.exe (PID: 4744)
      • ksomisc.exe (PID: 5876)
      • wpscloudsvr.exe (PID: 4232)
      • ksomisc.exe (PID: 6412)
      • ksomisc.exe (PID: 1844)
      • ksomisc.exe (PID: 4552)
      • pintaskbar.exe (PID: 3576)
      • ksomisc.exe (PID: 6408)
      • pintaskbar.exe (PID: 6504)
      • ksomisc.exe (PID: 1808)
      • ksomisc.exe (PID: 6600)
      • wps.exe (PID: 1100)
      • ksomisc.exe (PID: 5556)
      • wps.exe (PID: 1388)
      • wpscloudsvr.exe (PID: 5184)
      • wps.exe (PID: 4832)
      • ksomisc.exe (PID: 6788)
      • ksomisc.exe (PID: 1840)
      • ksolaunch.exe (PID: 1028)
      • ksolaunch.exe (PID: 5240)
      • ksomisc.exe (PID: 3588)
      • wpscloudsvr.exe (PID: 1232)
      • wpscloudsvr.exe (PID: 4040)
      • promecefpluginhost.exe (PID: 5432)
      • promecefpluginhost.exe (PID: 2096)
      • wps.exe (PID: 6068)
      • wps.exe (PID: 3112)
      • wps.exe (PID: 6152)
      • wps.exe (PID: 6504)
      • wps.exe (PID: 3396)
      • kwinappinstaller.exe (PID: 4676)
      • wps.exe (PID: 2432)
      • wps.exe (PID: 5552)
      • kwpswnsserver.exe (PID: 7032)
      • wps.exe (PID: 6092)
      • windowsappruntimeinstall.exe (PID: 5400)
      • wpscenter.exe (PID: 4044)
      • wpscenter.exe (PID: 1980)
      • wps.exe (PID: 2400)
      • ksomisc.exe (PID: 6264)
      • ksomisc.exe (PID: 1468)
      • chromelauncher.exe (PID: 7224)
      • wpscenter.exe (PID: 1232)
      • ksomisc.exe (PID: 7304)
      • wpscenter.exe (PID: 7172)
      • ksomisc.exe (PID: 7284)
      • wpscenter.exe (PID: 7368)

    • Reads the machine GUID from the registry

      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 3968)
      • ksomisc.exe (PID: 1268)
      • ksomisc.exe (PID: 5300)
      • ksomisc.exe (PID: 1868)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 1192)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 2508)
      • ksomisc.exe (PID: 4544)
      • wpscloudsvr.exe (PID: 360)
      • ksomisc.exe (PID: 2216)
      • wpscloudsvr.exe (PID: 5776)
      • ksomisc.exe (PID: 6900)
      • wpscloudsvr.exe (PID: 2112)
      • ksomisc.exe (PID: 4056)
      • wpscloudsvr.exe (PID: 864)
      • ksomisc.exe (PID: 888)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 3872)
      • ksomisc.exe (PID: 320)
      • ksomisc.exe (PID: 6620)
      • ksomisc.exe (PID: 2808)
      • ksomisc.exe (PID: 1868)
      • wps.exe (PID: 3980)
      • ksomisc.exe (PID: 4172)
      • ksomisc.exe (PID: 3620)
      • ksomisc.exe (PID: 2648)
      • ksomisc.exe (PID: 2124)
      • ksomisc.exe (PID: 7000)
      • ksomisc.exe (PID: 3588)
      • wpsupdate.exe (PID: 4808)
      • ksomisc.exe (PID: 6208)
      • ksomisc.exe (PID: 5620)
      • ksomisc.exe (PID: 5876)
      • wpsupdate.exe (PID: 4044)
      • wpscloudsvr.exe (PID: 4232)
      • ksomisc.exe (PID: 6412)
      • wpscloudsvr.exe (PID: 4744)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 1844)
      • ksomisc.exe (PID: 6408)
      • ksomisc.exe (PID: 1808)
      • ksomisc.exe (PID: 6600)
      • wps.exe (PID: 1100)
      • wps.exe (PID: 1388)
      • ksomisc.exe (PID: 5556)
      • wpscloudsvr.exe (PID: 5184)
      • wps.exe (PID: 4832)
      • ksomisc.exe (PID: 1840)
      • ksolaunch.exe (PID: 1028)
      • ksomisc.exe (PID: 6788)
      • ksolaunch.exe (PID: 5240)
      • wpscloudsvr.exe (PID: 4040)
      • ksomisc.exe (PID: 3588)
      • promecefpluginhost.exe (PID: 2096)
      • promecefpluginhost.exe (PID: 5432)
      • wpscloudsvr.exe (PID: 1232)
      • wps.exe (PID: 6504)
      • wps.exe (PID: 6152)
      • wps.exe (PID: 6068)
      • wps.exe (PID: 3112)
      • wps.exe (PID: 6092)
      • wps.exe (PID: 5552)
      • windowsappruntimeinstall.exe (PID: 5400)
      • wpscenter.exe (PID: 1980)
      • wpscenter.exe (PID: 4044)
      • wps.exe (PID: 2400)
      • ksomisc.exe (PID: 6264)
      • ksomisc.exe (PID: 1468)
      • wpscenter.exe (PID: 7172)
      • wpscenter.exe (PID: 1232)
      • ksomisc.exe (PID: 7304)
      • wpscenter.exe (PID: 7368)
      • ksomisc.exe (PID: 7284)

    • Process checks computer location settings

      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)
      • ksomisc.exe (PID: 1872)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 4544)
      • ksomisc.exe (PID: 2216)
      • ksomisc.exe (PID: 6900)
      • ksomisc.exe (PID: 4056)
      • ksomisc.exe (PID: 3872)
      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 5620)
      • ksomisc.exe (PID: 6412)
      • ksomisc.exe (PID: 5876)
      • ksomisc.exe (PID: 4552)
      • ksomisc.exe (PID: 6408)
      • wps.exe (PID: 6068)
      • wps.exe (PID: 6504)
      • wps.exe (PID: 4832)
      • wps.exe (PID: 6092)
      • wps.exe (PID: 5552)

    • Create files in a temporary directory

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • ksomisc.exe (PID: 3872)
      • wps.exe (PID: 4832)
      • wpscloudsvr.exe (PID: 1232)
      • windowsappruntimeinstall.exe (PID: 5400)

    • The sample compiled with english language support

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
      • wpscloudsvr.exe (PID: 5184)

    • The sample compiled with chinese language support

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • The sample compiled with japanese language support

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)

    • Checks proxy server information

      • slui.exe (PID: 5348)
      • OpenWith.exe (PID: 6688)
      • wpsupdate.exe (PID: 4808)
      • wpsupdate.exe (PID: 4044)
      • wps.exe (PID: 4832)
      • 2c373947-d782-4b30-bdd2-093e673d764e.exe (PID: 3148)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • OpenWith.exe (PID: 6688)

    • Manual execution by a user

      • WinRAR.exe (PID: 2292)

    • Creates files in the program directory

      • cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:19 11:28:18+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 4136448
InitializedDataSize: 1502208
UninitializedDataSize: -
EntryPoint: 0x2a57df
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 12.2.0.21209
ProductVersionNumber: 12.2.0.21209
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription: WPS Office Setup
FileVersion: 12,2,0,21209
InternalName: konlinesetup_xa
LegalCopyright: Copyright©2025 Kingsoft Corporation. All rights reserved.
OriginalFileName: konlinesetup_xa.exe
ProductName: WPS Office
ProductVersion: 12,2,0,21209
MIMEType: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
247
Monitored processes
100
Malicious processes
6
Suspicious processes
10

Behavior graph

Click at the process to see the details
start 2c373947-d782-4b30-bdd2-093e673d764e.exe cff2f906a22e99b9f9906563684b77e7-16_setup_xa_mui_free.exe.601.1147.exe slui.exe rundll32.exe no specs winrar.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs openwith.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe pintaskbar.exe no specs ksomisc.exe wps.exe wps.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe wpsupdate.exe wpsupdate.exe regsvr32.exe no specs ksomisc.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe wpscloudsvr.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe pintaskbar.exe no specs pintaskbar.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe wps.exe no specs wps.exe wpscloudsvr.exe wps.exe no specs ksomisc.exe ksomisc.exe ksomisc.exe ksolaunch.exe no specs ksolaunch.exe no specs wpscloudsvr.exe wpscloudsvr.exe promecefpluginhost.exe no specs promecefpluginhost.exe wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs wps.exe no specs kwinappinstaller.exe no specs wps.exe no specs kwpswnsserver.exe no specs wps.exe no specs windowsappruntimeinstall.exe no specs conhost.exe no specs wpscenter.exe wpscenter.exe wps.exe ksomisc.exe ksomisc.exe wpscenter.exe wpscenter.exe chromelauncher.exe no specs ksomisc.exe no specs ksomisc.exe no specs wpscenter.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe" -distsrc 00601.00001147C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,22549
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.22549\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
360"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\wpscloudsvr.exe" Run -User=Admin "C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe" -setappcapC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\wpscloudsvr.exeksomisc.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office service program for service such as login and Cloud storage
Exit code:
69468168
Version:
12,2,0,22549
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.22549\office6\wpscloudsvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
504"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Users\admin\AppData\Roaming\Kingsoft\office6\msoaddins\x86\kmso2pdfplugins_1.dll"C:\Windows\SysWOW64\regsvr32.exeksomisc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
620"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\pinTaskbar.exe" "C:\Users\admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk" 5386C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\pintaskbar.exeksomisc.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Exit code:
0
Version:
12,2,0,22549
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.22549\office6\pintaskbar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
864"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\wpscloudsvr.exe" Run -User=Admin "C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe" -setappcapC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\wpscloudsvr.exeksomisc.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office service program for service such as login and Cloud storage
Exit code:
69468168
Version:
12,2,0,22549
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.22549\office6\wpscloudsvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
864 /s "C:\Users\admin\AppData\Roaming\Kingsoft\office6\msoaddins\x64\kmso2pdfplugins64_1.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
888"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe" -checkcompatiblemsoC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,22549
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.22549\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
1028"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=QingC:\Users\admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exewpscloudsvr.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office
Exit code:
0
Version:
12,2,0,22549
Modules
Images
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1100"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\\office6\wps.exe" Run -User=Admin "C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\\office6\ksomisc.exe" -defragmentC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\wps.execff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office
Exit code:
69468168
Version:
12,2,0,22549
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.22549\office6\wps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
1192"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe" -regmtfontC:\Users\admin\AppData\Local\Kingsoft\WPS Office\12.2.0.22549\office6\ksomisc.exe
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
12,2,0,22549
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\12.2.0.22549\office6\ksomisc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
Total events
329 470
Read events
323 708
Write events
4 223
Delete events
1 539

Modification events

(PID) Process:(3148) 2c373947-d782-4b30-bdd2-093e673d764e.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:infoGuid
Value:
F60021B3FEB944F4B67E88EC56200742
(PID) Process:(3148) 2c373947-d782-4b30-bdd2-093e673d764e.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\Office\6.0\plugins\kdcsdk
Operation:writeName:countrycode
Value:
US
(PID) Process:(3148) 2c373947-d782-4b30-bdd2-093e673d764e.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\Office\6.0\plugins\kdcsdk
Operation:writeName:lastupdatecountrycode
Value:
1758637080730
(PID) Process:(3148) 2c373947-d782-4b30-bdd2-093e673d764e.exeKey:HKEY_CURRENT_USER\SOFTWARE\kingsoft\kwpsonlinesetup
Operation:writeName:infoHdid
Value:
69f62c6ce4597d73ebbad6c454cc576a
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000F0330
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000080334
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060304
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010014000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000E000000000000006700720061006400650074002E0070006E0067003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000001400000000000000620072006F007700730065006D006F0076006900650073002E006A00700067003E00200020000000130000000000000063006F006D006D0069007300730069006F006E0068002E007200740066003E0020002000000014000000000000006D0065006400690075006D007200650063006F00720064002E007200740066003E00200020000000150000000000000070006F006C006900740069006300730077006F0072006B0073002E007200740066003E00200020000000130000000000000070006F0073007400730072006100740069006E0067002E007200740066003E002000200000001400000000000000730061006C0065007300630065006E0074007500720079002E007200740066003E00200020000000120000000000000073006F006D0065006F006E0065006800690073002E0070006E0067003E002000200000000F0000000000000073007400610067007200650065002E0070006E0067003E002000200000001700000000000000740065007300740069006E0067007400720061006E0073006600650072002E0070006E0067003E002000200000001900000000000000740072006500610074006D0065006E00740069006E006300720065006100730065002E006A00700067003E0020002000000013000000000000007700690066006500730074006F0072006900650073002E007200740066003E002000200000002C00000000000000320063003300370033003900340037002D0064003700380032002D0034006200330030002D0062006400640032002D003000390033006500360037003300640037003600340065002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001400000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700000040400000803F1300
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
18ACD26800000000
Executable files
477
Suspicious files
1 543
Text files
2 587
Unknown types
0

Dropped files

PID
Process
Filename
Type
31482c373947-d782-4b30-bdd2-093e673d764e.exeC:\Users\admin\Desktop\wps_download\cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\prereadimages_et.txt
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\prereadimages_pdf.txt
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\prereadimages_prometheus.txt
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\prereadimages_prome_init.txt
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\prereadimages_qing.txt
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\prereadimages_wpp.txt
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\prereadimages_wps.txt
MD5:
SHA256:
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.logtext
MD5:B0A2B10D6E92C92A4E4D13B13FBEDF44
SHA256:AC42B3B2E8224FB0457253DF374E13750AADD1D63EA69F4A644BC4FECA0AB4B1
4084cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exeC:\Users\admin\AppData\Local\Temp\wps\~1993ca\CONTROL\ja_JP\1002.pngimage
MD5:16AEFB6C1454D76A589385767C066433
SHA256:E42774D8B3819C19F13294B917A93330104BCF33D269B1B8CB46A2865D97061D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
131
DNS requests
43
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6212
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
2292
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
419 b
whitelisted
2292
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
NL
binary
813 b
whitelisted
2292
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
407 b
whitelisted
2292
SIHClient.exe
GET
200
2.16.164.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
7008
RUXIMICS.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
7008
RUXIMICS.exe
GET
200
2.16.164.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
2292
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
NL
binary
400 b
whitelisted
2292
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
NL
binary
814 b
whitelisted
2940
svchost.exe
GET
200
2.16.252.233:80
http://x1.c.lencr.org/
NL
binary
734 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7008
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3148
2c373947-d782-4b30-bdd2-093e673d764e.exe
142.250.186.110:443
www.google-analytics.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3148
2c373947-d782-4b30-bdd2-093e673d764e.exe
90.84.175.86:443
api.wps.com
Orange
FR
suspicious
6212
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6212
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7008
RUXIMICS.exe
2.16.164.112:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
www.google-analytics.com
  • 142.250.186.110
whitelisted
api.wps.com
  • 90.84.175.86
unknown
login.live.com
  • 40.126.32.74
  • 20.190.160.3
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.14
  • 20.190.160.130
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.65
  • 20.190.160.20
  • 20.190.160.22
  • 20.190.160.67
  • 20.190.160.4
  • 20.190.160.66
  • 20.190.160.17
  • 40.126.31.3
  • 20.190.159.64
  • 40.126.31.0
  • 20.190.159.75
  • 20.190.159.68
  • 40.126.31.2
  • 20.190.159.128
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 162.159.142.9
  • 172.66.2.5
whitelisted
crl.microsoft.com
  • 2.16.164.112
  • 2.16.164.72
  • 2.16.164.90
  • 2.16.164.89
  • 2.16.164.88
  • 2.16.164.96
  • 2.16.164.104
  • 2.16.164.80
  • 2.16.164.81
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
wdl1.pcfg.cache.wpscdn.com
  • 163.53.19.10
  • 89.222.119.91
unknown

Threats

No threats detected
Process
Message
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
[kscreen] isElide:0 switchRec:0 switchRecElide:1
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_BrandAreaWidget", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
cff2f906a22e99b9f9906563684b77e7-16_setup_XA_mui_Free.exe.601.1147.exe
QLayout: Attempting to add QLayout "" to QWidget "m_customizeSettingsWidget", which already has a layout
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2c373947-d782-4b30-bdd2-093e673d764e