URL:

http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/distsrc/100.1001/wpsinst/wps_office_inst.exe

Full analysis: https://app.any.run/tasks/a525ca4b-0724-475f-9699-ae5f3f6357af
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 27, 2019, 11:04:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
maldoc-17
Indicators:
MD5:

B8FAD5E5833A59669AE66BF1D247E9E5

SHA1:

8A0E20FFCADAC1D2BE9B56C4621E5355351BE091

SHA256:

D9AD3213868E0B311F17C4BAAD8C5433CAFBFAB596F850AEC4A3831A3FA55696

SSDEEP:

3:N1KJBaWjNRoTJVGJbWDY7RMNfypYM6MyLN:CSWxMVGJn7RRYM6MyLN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • chrome.exe (PID: 2968)
      • wps_office_inst.exe (PID: 3736)

    • Application was dropped or rewritten from another process

      • wps_office_inst.exe (PID: 3736)
      • ksomisc.exe (PID: 1676)
      • ksomisc.exe (PID: 3260)
      • ksomisc.exe (PID: 2188)
      • ksomisc.exe (PID: 3780)
      • wpscloudsvr.exe (PID: 1828)
      • ksomisc.exe (PID: 1492)
      • ksomisc.exe (PID: 1132)
      • wpscloudsvr.exe (PID: 1856)
      • wpscloudsvr.exe (PID: 1920)
      • ksomisc.exe (PID: 1188)
      • wps.exe (PID: 2948)
      • ksomisc.exe (PID: 3120)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 2636)
      • ksomisc.exe (PID: 756)
      • ksomisc.exe (PID: 3460)
      • ksomisc.exe (PID: 3176)
      • ksomisc.exe (PID: 2620)
      • ksomisc.exe (PID: 1688)
      • ksomisc.exe (PID: 3224)
      • ksomisc.exe (PID: 3384)
      • wps.exe (PID: 2296)
      • wps.exe (PID: 3516)
      • wps.exe (PID: 2184)
      • ksomisc.exe (PID: 2204)
      • wpscloudsvr.exe (PID: 3528)
      • wps.exe (PID: 3092)
      • ksomisc.exe (PID: 1128)
      • wps.exe (PID: 2804)
      • wpscloudsvr.exe (PID: 2696)
      • ksomisc.exe (PID: 3072)
      • wpsupdate.exe (PID: 3596)
      • wpscloudsvr.exe (PID: 3312)
      • wpsupdate.exe (PID: 2940)
      • wpscloudsvr.exe (PID: 4020)
      • wps.exe (PID: 3492)
      • ksomisc.exe (PID: 3696)
      • wps.exe (PID: 3976)
      • wps.exe (PID: 3676)
      • wps.exe (PID: 2404)
      • wpscenter.exe (PID: 2888)

    • Drops known malicious document

      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)

    • Loads dropped or rewritten executable

      • wpscloudsvr.exe (PID: 1856)
      • ksomisc.exe (PID: 1188)
      • ksomisc.exe (PID: 1676)
      • ksomisc.exe (PID: 3260)
      • wpscloudsvr.exe (PID: 1920)
      • ksomisc.exe (PID: 2188)
      • ksomisc.exe (PID: 1492)
      • wps.exe (PID: 2948)
      • ksomisc.exe (PID: 1132)
      • ksomisc.exe (PID: 3780)
      • ksomisc.exe (PID: 3120)
      • ksomisc.exe (PID: 2636)
      • ksomisc.exe (PID: 756)
      • ksomisc.exe (PID: 4072)
      • ksomisc.exe (PID: 3460)
      • ksomisc.exe (PID: 3176)
      • ksomisc.exe (PID: 2620)
      • ksomisc.exe (PID: 1688)
      • ksomisc.exe (PID: 3384)
      • ksomisc.exe (PID: 3224)
      • regsvr32.exe (PID: 3212)
      • wps.exe (PID: 2296)
      • wps.exe (PID: 3516)
      • wps.exe (PID: 2184)
      • wps.exe (PID: 3092)
      • ksomisc.exe (PID: 2204)
      • ksomisc.exe (PID: 1128)
      • regsvr32.exe (PID: 2636)
      • wps.exe (PID: 2804)
      • wpsupdate.exe (PID: 2940)
      • ksomisc.exe (PID: 3072)
      • regsvr32.exe (PID: 2872)
      • wpsupdate.exe (PID: 3596)
      • wpscloudsvr.exe (PID: 3312)
      • wpscloudsvr.exe (PID: 4020)
      • regsvr32.exe (PID: 356)
      • regsvr32.exe (PID: 3740)
      • regsvr32.exe (PID: 3612)
      • ksomisc.exe (PID: 3696)
      • wps.exe (PID: 3492)
      • wps.exe (PID: 3676)
      • wps.exe (PID: 3976)
      • wps.exe (PID: 2404)
      • wpscenter.exe (PID: 2888)

    • Registers / Runs the DLL via REGSVR32.EXE

      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)
      • ksomisc.exe (PID: 3072)

    • Loads the Task Scheduler COM API

      • wps.exe (PID: 3092)
      • wps.exe (PID: 2296)
      • wpsupdate.exe (PID: 2940)

  • SUSPICIOUS

    • Creates files in the user directory

      • wps_office_inst.exe (PID: 3736)
      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)
      • ksomisc.exe (PID: 1676)
      • ksomisc.exe (PID: 2620)
      • ksomisc.exe (PID: 1688)
      • wpsupdate.exe (PID: 3596)
      • wps.exe (PID: 3492)
      • wps.exe (PID: 3976)
      • wps.exe (PID: 2404)
      • wpscenter.exe (PID: 2888)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2968)
      • chrome.exe (PID: 3440)
      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)
      • wps.exe (PID: 2404)
      • wps.exe (PID: 3976)

    • Creates a software uninstall entry

      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)

    • Application launched itself

      • wpscloudsvr.exe (PID: 1856)
      • wps.exe (PID: 2296)
      • wps.exe (PID: 3492)
      • wps.exe (PID: 3976)

    • Modifies the open verb of a shell class

      • ksomisc.exe (PID: 2188)
      • ksomisc.exe (PID: 1492)
      • ksomisc.exe (PID: 1132)
      • ksomisc.exe (PID: 3120)
      • ksomisc.exe (PID: 4072)
      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)

    • Creates COM task schedule object

      • ksomisc.exe (PID: 2188)
      • regsvr32.exe (PID: 3212)
      • regsvr32.exe (PID: 2636)
      • regsvr32.exe (PID: 2872)
      • regsvr32.exe (PID: 356)
      • regsvr32.exe (PID: 3740)
      • regsvr32.exe (PID: 3612)

    • Executed as Windows Service

      • wpscloudsvr.exe (PID: 1828)
      • wpscloudsvr.exe (PID: 3528)
      • wpscloudsvr.exe (PID: 2696)

    • Removes files from Windows directory

      • wpscloudsvr.exe (PID: 1828)
      • wpscloudsvr.exe (PID: 3528)
      • wpscloudsvr.exe (PID: 2696)

    • Creates files in the Windows directory

      • wpscloudsvr.exe (PID: 1828)
      • wpscloudsvr.exe (PID: 3528)
      • wpscloudsvr.exe (PID: 2696)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3440)

    • Reads Internet Cache Settings

      • wpsupdate.exe (PID: 3596)
      • wpsupdate.exe (PID: 2940)

    • Starts itself from another location

      • wps.exe (PID: 3492)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 3440)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 3440)

    • Reads settings of System Certificates

      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)
      • chrome.exe (PID: 2968)

    • Dropped object may contain Bitcoin addresses

      • setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe (PID: 3316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
110
Monitored processes
70
Malicious processes
43
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs wps_office_inst.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe ksomisc.exe wpscloudsvr.exe no specs wpscloudsvr.exe ksomisc.exe ksomisc.exe ksomisc.exe wps.exe no specs wpscloudsvr.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe ksomisc.exe chrome.exe no specs chrome.exe no specs regsvr32.exe no specs chrome.exe no specs ksomisc.exe chrome.exe no specs wps.exe no specs wps.exe no specs chrome.exe no specs wps.exe no specs wpscloudsvr.exe no specs chrome.exe no specs wps.exe no specs chrome.exe no specs chrome.exe no specs ksomisc.exe chrome.exe no specs ksomisc.exe chrome.exe no specs regsvr32.exe no specs wps.exe no specs wpscloudsvr.exe no specs ksomisc.exe wpsupdate.exe regsvr32.exe no specs wpscloudsvr.exe no specs wpsupdate.exe wpscloudsvr.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs ksomisc.exe wps.exe wps.exe no specs wps.exe wps.exe wpscenter.exe

Process information

PID
CMD
Path
Indicators
Parent process
356"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\addons\knewdocshellext\knewdocshellext.dll"C:\Windows\system32\regsvr32.exesetup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
756"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe" -distsrc 00500.00002001C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
11,2,0,8934
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.8934\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=988,4756398656555230842,14661670697041074113,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=16950495000209637926 --mojo-platform-channel-handle=4304 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1128"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe" -AssopdfC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
11,2,0,8934
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.8934\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1132"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe" -AssoexcelC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
11,2,0,8934
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.8934\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1188"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe" -regmtfontC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
11,2,0,8934
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.8934\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1456"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fdea9d0,0x6fdea9e0,0x6fdea9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1468"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=988,4756398656555230842,14661670697041074113,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13352748134480039042 --mojo-platform-channel-handle=1532 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1492"C:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe" -AssowordC:\Users\admin\AppData\Local\Kingsoft\WPS Office\11.2.0.8934\office6\ksomisc.exe
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
User:
admin
Company:
Zhuhai Kingsoft Office Software Co.,Ltd
Integrity Level:
MEDIUM
Description:
WPS Office Module
Exit code:
0
Version:
11,2,0,8934
Modules
Images
c:\users\admin\appdata\local\kingsoft\wps office\11.2.0.8934\office6\ksomisc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1636"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=988,4756398656555230842,14661670697041074113,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=11083646146345583833 --mojo-platform-channel-handle=924 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
12 736
Read events
4 465
Write events
8 253
Delete events
18

Modification events

(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3504) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:3440-13211377488682125
Value:
259
(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(3440) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1512-13197841398593750
Value:
0
(PID) Process:(3440) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
179
Suspicious files
401
Text files
2 796
Unknown types
488

Dropped files

PID
Process
Filename
Type
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\e907f46b-46fe-4b5f-91b0-4733588d8f66.tmp
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF169c35.TMPtext
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF169c16.TMPtext
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF169bd7.TMPtext
MD5:
SHA256:
3440chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF169bc7.TMPtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
178
TCP/UDP connections
78
DNS requests
30
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3072
ksomisc.exe
GET
47.246.43.225:80
http://wdl1.pcfg.cache.wpscdn.com/ksodl/service/per-plugin/dl/addons/list/win-i386/11.2.0.8934/ksomisc/index.ini
US
malicious
3460
ksomisc.exe
GET
200
52.193.251.216:80
http://haiwai-ic.ksosoft.com/infos.ads?v=D1S1E2&d=arMFlS7SpzoOibMPkHtBfvcPlPIOZHNQlvMFjDtRVbcRczsOc0dRrrMFqO2SmqJHsSJGpGZHtGJHq43D5XZCuCJHp4pCpa3D5LaHs4aH5P2SnqJCnuYCk0ZBuapCqO2SoqJDm0ZBo03CnO2SpqpC
JP
unknown
3736
wps_office_inst.exe
HEAD
200
47.246.43.227:80
http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/package/setup_XA_mui_Free.exe
US
malicious
3736
wps_office_inst.exe
HEAD
200
47.246.43.227:80
http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/distsrc/100.1001/index.ini
US
malicious
3736
wps_office_inst.exe
GET
200
52.193.251.216:80
http://haiwai-ic.ksosoft.com/infos.ads?v=D1S1E1&d=ZG09L3dwcy9jbGllbnQva29ubGluZXNldHVwJmFjdGlvbj1rb25saW5lc2V0dXAmcG51bT01JnAwPTU2NEU0ODNFQjM5RjQwMzY5NUYwNUQ5NjFEOTc3MTRGfDhCOUZFMEU1MDFCQzhBOUQ2OEQwMzQ2MUQxODVDMTA1fDlmNGMwMDQ5MmUxNmRmNWQwZDcyMmNlOThmMDExZGNlJnAxPTAuMC4wLjAmcDI9MTAwLjEwMDEmcDM9JnA0PXNob3c=
JP
unknown
3736
wps_office_inst.exe
GET
200
52.193.251.216:80
http://haiwai-ic.ksosoft.com/infos.ads?v=D1S1E1&d=ZG09L3dwcy9jbGllbnQva29ubGluZXNldHVwJmFjdGlvbj1rb25saW5lc2V0dXAmcG51bT02JnAwPTU2NEU0ODNFQjM5RjQwMzY5NUYwNUQ5NjFEOTc3MTRGfDhCOUZFMEU1MDFCQzhBOUQ2OEQwMzQ2MUQxODVDMTA1fDlmNGMwMDQ5MmUxNmRmNWQwZDcyMmNlOThmMDExZGNlJnAxPTAuMC4wLjAmcDI9MTAwLjEwMDEmcDM9JnA0PWJ0bl9jbGljayZwNT1zdGFydA==
JP
unknown
2940
wpsupdate.exe
GET
200
3.114.50.255:80
http://haiwai-ic.ksosoft.com/infos.ads?v=D1S1E1&d=ZG09L3dwcy9jbGllbnQvYXBwJmFjdGlvbj1rZGNzZGtfaW5mb2MmcDA9RTY3QTM0Rjc0RTQxNEU4MjgzRTMxMzM5NEVFRjZBRkV8OGI5ZmUwZTUwMWJjOGE5ZDY4ZDAzNDYxZDE4NWMxMDV8ZWFiNjkxYzhkNDY2Nzg4NDE2OWJkNGEwMDY0MmUwYjQmcDE9MTEuMi4wLjg5MzQmcDI9MDA1MDAuMDAwMDIwMDEmcG51bT0xMCZwMz1vdGhlciZwND0xNTY2OTA0MDk2ODIxXzM1OTYmcDU9MTU2NjkzMjg5NiZwNj0yJnA3PV9hcHBfc3RhcnQmcDg9aWZvX2Fib3V0dG9zZW5kJnA5PTA=
US
unknown
1828
wpscloudsvr.exe
GET
200
23.37.43.27:80
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
NL
der
1.71 Kb
whitelisted
1828
wpscloudsvr.exe
GET
200
23.37.43.27:80
http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEGCGRGO7vC5OZ9QnceTL2aU%3D
NL
der
1.62 Kb
whitelisted
2968
chrome.exe
GET
200
47.246.43.227:80
http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/distsrc/100.1001/wpsinst/wps_office_inst.exe
US
executable
1.77 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2968
chrome.exe
47.246.43.229:80
wdl1.pcfg.cache.wpscdn.com
US
malicious
3736
wps_office_inst.exe
47.246.43.227:80
wdl1.pcfg.cache.wpscdn.com
US
malicious
172.217.22.110:443
clients4.google.com
Google Inc.
US
whitelisted
3316
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
172.217.16.174:80
www.google-analytics.com
Google Inc.
US
whitelisted
1828
wpscloudsvr.exe
23.37.43.27:80
ocsp.verisign.com
Akamai Technologies, Inc.
NL
whitelisted
2968
chrome.exe
172.217.22.46:443
clients1.google.com
Google Inc.
US
whitelisted
2968
chrome.exe
172.217.22.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2968
chrome.exe
47.246.43.227:80
wdl1.pcfg.cache.wpscdn.com
US
malicious
2968
chrome.exe
216.58.206.14:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2968
chrome.exe
172.217.18.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
wdl1.pcfg.cache.wpscdn.com
  • 47.246.43.227
  • 47.246.43.229
  • 47.246.43.226
  • 47.246.43.225
  • 47.246.43.230
  • 47.246.43.224
  • 47.246.43.228
  • 47.246.43.223
malicious
clientservices.googleapis.com
  • 172.217.22.99
whitelisted
accounts.google.com
  • 172.217.16.173
shared
sb-ssl.google.com
  • 216.58.206.14
whitelisted
www.google.com
  • 172.217.18.164
malicious
ssl.gstatic.com
  • 172.217.18.3
whitelisted
haiwai-ic.ksosoft.com
  • 3.114.50.255
  • 52.193.251.216
unknown
www.gstatic.com
  • 172.217.22.67
whitelisted
clients4.google.com
  • 172.217.22.110
whitelisted
clients1.google.com
  • 172.217.22.46
whitelisted

Threats

PID
Process
Class
Message
2968
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3736
wps_office_inst.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
[kscreen] isElide:0 switchRec:0 switchRecElide:1
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
[kscreen] now screensaver is
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
unregister dll path:qingshellext.dll
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
unregister dll path:qingshellext.dll
setup_urls_default.8dc07d309fdfcde4f184b2d523450568.500.2001.exe
unInstall qingshellex success!
ksomisc.exe
2019/08/27 12:06:59 I ksomisc 0000068c:00000570 [wWinMain][ksomisc begin] cmdline:-setlng en_US FL:E:\rc_v11_i18_kpr_20190815\Coding\support\ksomisc\ksomisc.cpp(469)
ksomisc.exe
2019/08/27 12:07:01 I ksomisc 00000cbc:00000fbc [wWinMain][ksomisc begin] cmdline:-setservers FL:E:\rc_v11_i18_kpr_20190815\Coding\support\ksomisc\ksomisc.cpp(469)
ksomisc.exe
2019/08/27 12:07:01 I ksomisc 0000088c:00000930 [wWinMain][ksomisc begin] cmdline:-register FL:E:\rc_v11_i18_kpr_20190815\Coding\support\ksomisc\ksomisc.cpp(469)
ksomisc.exe
2019/08/27 12:07:15 I ksomisc 000004a4:00000ba8 [wWinMain][ksomisc begin] cmdline:-regmtfont FL:E:\rc_v11_i18_kpr_20190815\Coding\support\ksomisc\ksomisc.cpp(469)
ksomisc.exe
2019/08/27 12:07:27 I ksomisc 00000ec4:00000edc [wWinMain][ksomisc begin] cmdline:-setappcap FL:E:\rc_v11_i18_kpr_20190815\Coding\support\ksomisc\ksomisc.cpp(469)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/distsrc/100.1001/wpsinst/wps_office_inst.exe