joker | 7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1

Analysis

max time kernel
152s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
Size

1.5MB
MD5

d372ea851aa97a62eadd09e5c9cc8de7
SHA1

6edd9c411a66eb700d244664d12d5e4eda850461
SHA256

7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1
SHA512

dea02bb4c0314de3aea3b0c2f0bf2e0c6bc3e18e748bf2eccc5ac101ee544c37232d081c7e41ff4deaa718621689e15676cd489dd21516c03e8b7c1869660f05
SSDEEP

24576:5HJ+TBzraCXb8zsMbTkE+bsqsVToIa0FYRrvnejnyZm0nxysBuk6d++ao7iC5ITW:5M4zsM0EnoIa0yrvmifyuoN2jDrtg9

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 4 IoCs

pid	Process
1588	KSWebShield.exe
592	KSWebShield.exe
768	KSWebShield.exe
612	KSWebShield.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.lnk	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe

Loads dropped DLL 16 IoCs

pid	Process
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
768	KSWebShield.exe
768	KSWebShield.exe
612	KSWebShield.exe
612	KSWebShield.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	KSWebShield.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\progra~1\ico\Film.ico	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\ico\Manhua.ico	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\ico\Video.ico	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\kingsoft\KSWebShield.exe	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\TheWorld 3\TheWorld.ini	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\ico\Beauty.ico	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\kingsoft\kwssp.dll	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\kingsoft\kwsui.dll	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\Maxthon2\SharedAccount\Config\Config.ini	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\kingsoft\KSWebShield.dll	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\Maxthon\Config\config.ini	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
File created	C:\progra~1\ico\Taobao.ico	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D66B8421-3810-11ED-AF38-FE72C9E2D9C9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.31166.net\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\yxtv6.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\yxtv6.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\31166.net\Total = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502f5fb21dccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.31166.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\31166.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\yxtv6.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\yxtv6.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "378"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000902b89d0b2ab262fc3cbd8f2f58785b1fb8e6f20ce38c820830da2a405dff550000000000e80000000020000200000007d0e37692431d150d089fdbc3077636e8e1693e756f821dec6d6ca3e4adfcc5c900000009e17079b30b0f545b3cdac41f62a9d05d0a9923c65f04e0ca63652c70e89e3e0b6add1da26a1ea3d946b9ad47eb0d7405456154e16107cd5adc7fc290260c9c69d4779630e77f4337a6fbe5dd32f377b298903a7e940154e55cbc2e3970363661df9488d56d7c821fdb1ff84765fb1fa5bc69edef1ff80e1e36ebca8dc7185923335c04bfb8dc5f2ef0b1335b2d6aeee40000000dd705c904ff467b2c6b00e5c46a462c9c3f5bd4d24db65808a4aa1e9fb646029d8563ca0180aaeaaa26844fc8e015da40b9ec64dd5946331f62b204011d32d1a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.v258.net = "0"	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000002bab6f45c79e1a5ae94fb635bc68c5b9be9d3c7bd9655fe7677b11b680ea05f0000000000e80000000020000200000005fdb9545983a3e92c363fc62f097d98f2fc2dec31b4dd336165c6dabfd1cd3b2200000001d513c3d2482fd63409e02e8f7bc4b79fc7184b6f523b94cc9895e27559ac4a0400000006eb572afa2c22ec5faa9032f2d2fb57077e3d974aad09fbd3f2544f9a63a793773969e2071052313704aaf2c54bb9782703bc32ca51b8a5862ca8d6bce190385	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\31166.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\31166.net\Total = "63"	IEXPLORE.EXE

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7D7C2FA-0086-4E62-BC5C-25CAB86709D3}\WpadDecisionReason = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-63-5b-e6-f1-ac\WpadDecision = "0"	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-63-5b-e6-f1-ac\WpadDetectedUrl	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7D7C2FA-0086-4E62-BC5C-25CAB86709D3}\WpadDecisionTime = c0c38faa1dccd801	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-63-5b-e6-f1-ac\WpadDecisionTime = c0c38faa1dccd801	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-63-5b-e6-f1-ac	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7D7C2FA-0086-4E62-BC5C-25CAB86709D3}\WpadDecisionTime = 2071f79e1dccd801	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7D7C2FA-0086-4E62-BC5C-25CAB86709D3}\WpadNetworkName = "Network 2"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7D7C2FA-0086-4E62-BC5C-25CAB86709D3}\a2-63-5b-e6-f1-ac	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-63-5b-e6-f1-ac\WpadDecisionTime = 2071f79e1dccd801	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7D7C2FA-0086-4E62-BC5C-25CAB86709D3}\WpadDecision = "0"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-63-5b-e6-f1-ac\WpadDecisionReason = "1"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7D7C2FA-0086-4E62-BC5C-25CAB86709D3}	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	KSWebShield.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1812	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	KSWebShield.exe
Token: SeDebugPrivilege	592	KSWebShield.exe
Token: SeDebugPrivilege	768	KSWebShield.exe
Token: 33	768	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	768	KSWebShield.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1776	iexplore.exe
1776	iexplore.exe
1776	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
612	KSWebShield.exe
612	KSWebShield.exe
1776	iexplore.exe
1776	iexplore.exe
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
1776	iexplore.exe
1776	iexplore.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
1776	iexplore.exe
1776	iexplore.exe
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1588	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	26
PID 2020 wrote to memory of 1588	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	26
PID 2020 wrote to memory of 1588	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	26
PID 2020 wrote to memory of 1588	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	26
PID 2020 wrote to memory of 592	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	27
PID 2020 wrote to memory of 592	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	27
PID 2020 wrote to memory of 592	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	27
PID 2020 wrote to memory of 592	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	27
PID 768 wrote to memory of 612	768	KSWebShield.exe	29
PID 768 wrote to memory of 612	768	KSWebShield.exe	29
PID 768 wrote to memory of 612	768	KSWebShield.exe	29
PID 768 wrote to memory of 612	768	KSWebShield.exe	29
PID 2020 wrote to memory of 1548	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	31
PID 2020 wrote to memory of 1548	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	31
PID 2020 wrote to memory of 1548	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	31
PID 2020 wrote to memory of 1548	2020	7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe	31
PID 1548 wrote to memory of 1812	1548	cmd.exe	33
PID 1548 wrote to memory of 1812	1548	cmd.exe	33
PID 1548 wrote to memory of 1812	1548	cmd.exe	33
PID 1548 wrote to memory of 1812	1548	cmd.exe	33
PID 1548 wrote to memory of 1884	1548	cmd.exe	36
PID 1548 wrote to memory of 1884	1548	cmd.exe	36
PID 1548 wrote to memory of 1884	1548	cmd.exe	36
PID 1548 wrote to memory of 1884	1548	cmd.exe	36
PID 1548 wrote to memory of 2040	1548	cmd.exe	37
PID 1548 wrote to memory of 2040	1548	cmd.exe	37
PID 1548 wrote to memory of 2040	1548	cmd.exe	37
PID 1548 wrote to memory of 2040	1548	cmd.exe	37
PID 1548 wrote to memory of 1472	1548	cmd.exe	38
PID 1548 wrote to memory of 1472	1548	cmd.exe	38
PID 1548 wrote to memory of 1472	1548	cmd.exe	38
PID 1548 wrote to memory of 1472	1548	cmd.exe	38
PID 1548 wrote to memory of 1568	1548	cmd.exe	39
PID 1548 wrote to memory of 1568	1548	cmd.exe	39
PID 1548 wrote to memory of 1568	1548	cmd.exe	39
PID 1548 wrote to memory of 1568	1548	cmd.exe	39
PID 1548 wrote to memory of 1404	1548	cmd.exe	40
PID 1548 wrote to memory of 1404	1548	cmd.exe	40
PID 1548 wrote to memory of 1404	1548	cmd.exe	40
PID 1548 wrote to memory of 1404	1548	cmd.exe	40
PID 1548 wrote to memory of 908	1548	cmd.exe	41
PID 1548 wrote to memory of 908	1548	cmd.exe	41
PID 1548 wrote to memory of 908	1548	cmd.exe	41
PID 1548 wrote to memory of 908	1548	cmd.exe	41
PID 1548 wrote to memory of 740	1548	cmd.exe	42
PID 1548 wrote to memory of 740	1548	cmd.exe	42
PID 1548 wrote to memory of 740	1548	cmd.exe	42
PID 1548 wrote to memory of 740	1548	cmd.exe	42
PID 1548 wrote to memory of 2032	1548	cmd.exe	43
PID 1548 wrote to memory of 2032	1548	cmd.exe	43
PID 1548 wrote to memory of 2032	1548	cmd.exe	43
PID 1548 wrote to memory of 2032	1548	cmd.exe	43
PID 1548 wrote to memory of 1780	1548	cmd.exe	44
PID 1548 wrote to memory of 1780	1548	cmd.exe	44
PID 1548 wrote to memory of 1780	1548	cmd.exe	44
PID 1548 wrote to memory of 1780	1548	cmd.exe	44
PID 1548 wrote to memory of 1776	1548	cmd.exe	45
PID 1548 wrote to memory of 1776	1548	cmd.exe	45
PID 1548 wrote to memory of 1776	1548	cmd.exe	45
PID 1548 wrote to memory of 1776	1548	cmd.exe	45
PID 1548 wrote to memory of 1772	1548	cmd.exe	46
PID 1548 wrote to memory of 1772	1548	cmd.exe	46
PID 1548 wrote to memory of 1772	1548	cmd.exe	46
PID 1548 wrote to memory of 1772	1548	cmd.exe	46

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
628	attrib.exe
980	attrib.exe
1856	attrib.exe
1912	attrib.exe
2016	attrib.exe
960	attrib.exe
1736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe
"C:\Users\Admin\AppData\Local\Temp\7af9193a3605beb4175bbeca714ac1287047deb47ab0aa5099781a115e2b97f1.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -start
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\lnk.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:f
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:f
    3⤵
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:f
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:f
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" /p everyone:f
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1912
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:960
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1736
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:628
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:R
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:R
    3⤵
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:R
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:R
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:R
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" /p everyone:R
    3⤵
    PID:940
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.6626.net/?ukt-yt
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1776
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1152
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:5518339 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1884
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:406549 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2096
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.31166.net/?uk-yt
  2⤵
  PID:956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj-yt
  2⤵
  PID:740

C:\progra~1\kingsoft\KSWebShield.exe
C:\progra~1\kingsoft\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini

Filesize
57B

MD5
53705d540fa3c6775550bacd326e81c9

SHA1
07eba7ba3f3175471bc77aacd12a9f407f107c68

SHA256
3e2ef6a4586476a7f19a67117f3292346acfc22d426dcc0ee9469acad17d7c94

SHA512
72ea7d7926546fae2785ca526cacec42080759feaa7f5c317db59f1bc28bd0a0bf207b82cb886cf7676a35013358972379b45d0d5d50ea1b4cb121866fa2b61f

Download Submit
C:\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
163B

MD5
188bb29b3030c993ce31dee0b71d746b

SHA1
f2593c034cabace23b0fb614cdce4ef50edb131c

SHA256
e88307cf91bdc4de1de6346491e0c2369c63665def40f9c5256d5337156ccfc0

SHA512
92e0326d1720765dcfd02c30d55dfa42bb73cfab58e5bf6b970b50ebae4249584f614e1541b042d8ca9c91d109cae5baf271577ecc57ee12ebfba4734be49d47

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
356B

MD5
1962d7f2787804a2b34702ec923e6273

SHA1
8417c61f71be35e5f4073afd491161f48bb52a2e

SHA256
25589370d36db390c954e05147f58ac25e00bbcc8201f1bdd9bf6fb4dede6bbf

SHA512
4357f024d64246aa94aea9962cf7988746a50bd5574d0e19d90bfcf343b4da505a050ac208afeffc91f9ea03f69a29ac1c10e599150fa7f29016243b89255741

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
546B

MD5
2424cc1fcc55a391804325ac4057a28c

SHA1
d6e11f35c229ceefe21f7736b377f9a50323d90a

SHA256
01074ad83e8477d936051da4be079daae1268a070309dfe08dd2f04cb780145e

SHA512
747f6b61a415e087342afd727ddfd627bd1838e873c483f262ecd2382178bae5678fbf640f5326f29791dc959ade55710c4b5e308d8b38034dbc88d04fe2c257

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
2c32100249bd03a08745cfeda61bfad5

SHA1
6108968db9e17f3cf7f38e60f9bd33c56d9613cb

SHA256
5c6f494b47b37859489a17b673d3553818ab41d37680559881c4219b933c83ac

SHA512
0f9b7bd18711f274fdc008168c9a65f948f21662ce279f92c28e3c06a0b8f7ac3b902165289cb71fb72adaa1db2630646fd48809d260b559e881e296cad4ed7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
1f7544149fb92813ebb5cee849e8f39e

SHA1
503cef1b52e1ce2afbb73b985ba089034b28e116

SHA256
3b56441477f30b989973c9d54228da8f34f00883bb52921c5e4ebf99e3902118

SHA512
61147cb85450bef51099c696d9fe8f028f9e8791ba5a2829178dd85a3181a76f07995fb3567543f76971329d7a22a9e9f1c5fc78a866e109705dd991c03a0bfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
c17f0ef6a7bde7170035a6397842dbc2

SHA1
d9efb6028ede92f0947b0a6a68c7dc307bffea49

SHA256
280e6fc6e820340a904f3ac65003cab72fb4b1ace3b28beafd9d90233d6286b6

SHA512
274e9bcd2c3b6776a9c06046741bbe4c7762d7b6ef9f28f7929ddb1e44e0dffef36b387be28c94e6f1668fa20d65415953323ada80bcff82af344fd00cd7d7c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
48e98893438d04fa64bb49bbdafbf960

SHA1
e28578281fc80cb97275a94aa0e9da0db8285b87

SHA256
2ad261d743636a48688f1d3a1a9def925c6a7642db3dea12b8c23e5aac46719d

SHA512
9eb1160e51ce79e0a7055a053ac5f25d2ff8d7277f8af146c188a1bd24deddd12df219aeb410f072b26ccaa114b88d7680d474c86736a0ab3187ec7ee08c73b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
0956ef80ed9dddfeb080c4ecddb7bd25

SHA1
8cdb02bfd31dc0d28bbad4b433ec51eaa6478188

SHA256
0830e7c3aa144bc0532ad739bb13177a989fa49c034325c3836bb6be97238a20

SHA512
8c16a93ce551b6e0e815a2a588a33a9d94166ad3752ec3a4bc8e8a7c7c3da47cb9f02b01ab60e36c479fc4f9cbb349fb7f5dd994fd97735fb50a6b0fa519ce27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
80a9881ff9b9d22510cc87e3fda725f3

SHA1
4dd868118376c29564b149764474d40a55a109fd

SHA256
0d29ab5cddd7dd223172cb0a74816a59c5e66816caf44bea6ed28260f08bc91e

SHA512
957040b4e9ffd85c128c0f45fe5c9f57b9fd0d01043c3a000d9c54c6bb8e82bdd6238495eef2f2b2e3ad635a83e6e23739c584dd6873d3b9aeff93579c5d5f4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
6174d38c6d0c8af0d41e382ff6e4c581

SHA1
b642ab758d147d04914c517bb280d66f82449116

SHA256
1c5fb3c4492609b4adac9eead448fb78f8747ead04242d0591130decbc603c48

SHA512
e904f723e06c3898c855f2bfdbe9804b04d5a013396630fff011b677100c4ea566dc1fcc049dcd63597ba4f8a3674aeffb6c66d0bd911d71f7a98c17d0ed88a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
7d2c35405f73cafe9b80bfdbb2fb4806

SHA1
6a2088f0553af524af8ae9ae4f0176ca43a5d348

SHA256
fadd0b1e4fb72d22487ce126f8ce03a71035c7c39c27e66586feda06aefe1e5c

SHA512
6a9a4c9736b6375079f0f61299cf6ce434d8082fd2c99552cd7015c9c4b54e1db022b180c73d1d91367e66943a2115ac72124372c660fb782c5c7870bea3d53e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73865e9aa87c509a67b0ef1afe10249c

SHA1
4b4568f0aa0fe003204a8fe7f73dc61263934bdb

SHA256
bcea1ce7b1288ffc3f5ee9342a251fb8d746dd204befdff1d033015b8e9f8c5c

SHA512
fe07c7c4d8cd0145e77397041f7cd58db408d6f3db33c432f033265e20ac20f486b66501ef68c919d63af3af3d1ba29713ad50ad450ae4a6e212f530ce79ef40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85f3821f2a561f0d5d4c719bc9f17e63

SHA1
a2d982ea2755c4c9488e2047f1d2bcda44dce28a

SHA256
7d3c011fd9274f45e744c2ed7b800de814d23110184fdc906f8484ae7c1595f3

SHA512
20d0850f060af5d5c836ecfbf52c1625c556bea050280eeefac8d2e7749199ff73f074019736f7fe3e01ddd1b60644cd7c893f22438e9f83a5531c1c0939eed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85f3821f2a561f0d5d4c719bc9f17e63

SHA1
a2d982ea2755c4c9488e2047f1d2bcda44dce28a

SHA256
7d3c011fd9274f45e744c2ed7b800de814d23110184fdc906f8484ae7c1595f3

SHA512
20d0850f060af5d5c836ecfbf52c1625c556bea050280eeefac8d2e7749199ff73f074019736f7fe3e01ddd1b60644cd7c893f22438e9f83a5531c1c0939eed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4222189ac11c80013ccade706c0ef109

SHA1
aaebce874db2897338754bacc85adc84044193da

SHA256
eb0f2063155098d2566ae7a1fa41ee1e3125f65f5db6eb7d491a3802435fbb33

SHA512
465e2c72d5e53f0d478cd962f728545985cbd53f8d28de084d05441e5ca459a45bfec92ba9ddc01dd594adf108864e6e78eff2ee5bb60a71f95393a95f72952f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
9b02265be1d99fcb49f591748294e418

SHA1
45787fa3fd6a231369ab948b8fa91a2cdf548ee2

SHA256
cc66de828003875fc6aac8d199d7b2ef3df0b8fa77ff583e734a02cff0e8398f

SHA512
0e1e7d70f5a866d2f1ee97eaad7ccee8f29281cb3430fc6a58e77fed187f3bce578a86c2bbd56f1bb827dad55b853432c1f1a3c615198cec1048eb1bdf007d2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
ecb006bd9e76b3c6ffec73337cc3f7f8

SHA1
8db887b527c5b1dd1f618c1de5961ffe3a88a257

SHA256
ff6d121384a9a05dc2b195765c849f7a4cac0b56febc8c67b9000efe62af807d

SHA512
c56ff0af7401617d702358d29ea6e0bae617391ec9877c53b0887cafa3e963cf56efda8cf0a6afd488204eea97d3defa823d576ef21cdf57b5dddbac84b1193b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
7c79789a3c4a508a042c6f32833768a1

SHA1
b3525ef630b805eb0aed93e2aff52e60fce83198

SHA256
6e4214ae761a4773113b9775ff216bae0abda824db8652b02713fc47111cfa7a

SHA512
9fb6da227957ef3c02d2177cdc30dffa6be1951facb61845d2587daf07bb143de1f64630744fa09f9119b0949378b217813ae00d0fa6b1efb0414dceee56833e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
3018d8f7071223e9667f61f52af1aba0

SHA1
f7428c7fdb3a5313048df86e4d89eb1713e2ae22

SHA256
fd4b3e101771c10d75a27f8058f51835809aa22eab02e16e3d4fa4d137c17ec3

SHA512
c2c769dfb0d2f46cfcbc49cee2a3a52b1a0ccd3fc2fb0b762ec722b8f322d6e07f1a56eb7331178e46df9aaab4267c3c2efd58ac9539c642bdcf46aa8937d243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\0395e120009z0vxy6FCFD[1].gif

Filesize
55KB

MD5
59de4baeeffc845f28b721f5ded24871

SHA1
72ae58b2d40a5c1fa84bd239c2bb572fbfb48137

SHA256
018004793de8567b6512308dffc6f0f6cc5b8d2299fc2232219f6faf8d76593b

SHA512
58246be254b619a36ced2e2b55b239994d218872cf5996e304040b14b301cc49f0cfe84212ede957afdcbd90b81eca9e0f5521e447859e8bca4112a1502a9647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\200x200[1].gif

Filesize
570KB

MD5
1a4b3ae248ebb98f068622e6a2cf0c14

SHA1
e35f8449cd0a184a18f18b93b352dfb1634a5f88

SHA256
084c3b930a1bdf1fb1931da32351a1290caf6c9ec7b9adc62a28d7442a5f9f1b

SHA512
157e6551137eeb7a7c78cb9b5ee51f860bfe3e636e129e028f27013615389df9c765cea21ac5bc7d0d23b9f57a24e29911068d3375d4938e290a099e927f31fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\200x200[2].gif

Filesize
564KB

MD5
f535ee6e597196ee97e3d7da4853b607

SHA1
7244e89c8270ade08ee71f10340e01e9893cff2c

SHA256
39c0490c336ff6e5ad21a9d26d01d733753f44c28063b6698e3fc8139b2b6324

SHA512
ba06721f5d5f9339ebd998023f2156d8bc6103e4bc851396f8a58343ad4174dbdb36adc1282a7a027c33c0b55c7bfab6779f68915d205d7770e7bce724b63bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\960x80-2[1].gif

Filesize
410KB

MD5
be6afdda29243c0914e9b7c4625cbe18

SHA1
d41ddbc9dfe849bc6dd4e9abc8a0f14d4f24755b

SHA256
294f934974d697cdf9e9387753fbe9895501a42a5ff1566ec74925f2e08b49f7

SHA512
e47ea8c061485ecf98792f4505b479422b5f6ca6f051cbcace2882761201d799f28884ed118d0b56d925b10823db4a1a694a6097bc608b86a97fd817bf13dbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\bootstrap.min[1].css

Filesize
118KB

MD5
7f89537eaf606bff49f5cc1a7c24dbca

SHA1
b0972fdcce82fd583d4c2ccc3f2e3df7404a19d0

SHA256
6d92dfc1700fd38cd130ad818e23bc8aef697f815b2ea5face2b5dfad22f2e11

SHA512
0e8a7fbd6de23ad6b27ab95802a0a0915af6693af612bc304d83af445529ce5d95842309ca3405d10f538d45c8a3a261b8cff78b4bd512dd9effb4109a71d0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\bootstrap.min[1].js

Filesize
38KB

MD5
2f34b630ffe30ba2ff2b91e3f3c322a1

SHA1
b16fd8226bd6bfb08e568f1b1d0a21d60247cefb

SHA256
9ee2fcff6709e4d0d24b09ca0fc56aade12b4961ed9c43fd13b03248bfb57afe

SHA512
a014e9acc78d10a0a7a9fbaa29deac6ef17398542d9574b77b40bf446155d210fa43384757e3837da41b025998ebfab4b9b6f094033f9c226392b800df068bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\jquery.lazyload.min[1].js

Filesize
3KB

MD5
112c8d1b40b3e62e883c743e9d71e0bf

SHA1
338318e930487b2791a7bcf53ad4601630cc41e2

SHA256
ad79ce7e34d1a788809bb853031133de2ae45f3c19ac4955dae46c7490188c2e

SHA512
8cd0ed15feea814d1e1fff99e36146e1fc37c3b0ccffdcdb80d3dedf07c9942ca55434d3dc880a5b9afdd95cbd2076ba539d2fc8ccf981107222ee1821716d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\jquery.min[1].js

Filesize
94KB

MD5
4f252523d4af0b478c810c2547a63e19

SHA1
5a9dcfbef655a2668e78baebeaa8dc6f41d8dabb

SHA256
668b046d12db350ccba6728890476b3efee53b2f42dbb84743e5e9f1ae0cc404

SHA512
8c6b0c1fcde829ef5ab02a643959019d4ac30d3a7cc25f9a7640760fefff26d9713b84ab2e825d85b3b2b08150265a10143f82e05975accb10645efa26357479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK8YK3QV\03964120009z0w8i44344[1].gif

Filesize
435KB

MD5
dfbf81fb5d0c62a4890d1362f950c5d7

SHA1
725b5307b3976bd29822d38f3a22d119086498da

SHA256
aeefa12a7a2daa7ef3c04e1545d05163f8f6d95e1b8651fe7ea2893115bb6315

SHA512
c5f546abf64f37f9bacd0eaa939bff25842c1241d81a2aa32de080deb97ed61a1c7f722f6e873234bd31f57e20459921fb7ecd2aa36c04df4c00c681bd04bc9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK8YK3QV\150x150[1].gif

Filesize
99KB

MD5
74409a753a6305214ab8c42a40752453

SHA1
52523bf4eee3245ecaa59c9ed8443a6a8a4a650c

SHA256
2b3f372dac05e81d086b1aaf7da6eba3182fb6d9018e8bf1b317e983dd667881

SHA512
75a93a7a1cb76b63c33ba4509aaa2d25e2a04f0b7c62cb97b1fb0dbae0009df924bc39dbc60969cbe7e97d26e3fdef8520c93efe34206c9419c1c16333fb97b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK8YK3QV\960X80[1].gif

Filesize
130KB

MD5
55f93dff8b8634e22e525341e9b6915b

SHA1
b8fd202b4a2ea247a1eda7626e3daea1eeeb2e48

SHA256
54c038f5eb9f6657ba29e5f640cab966f0594e2d127468ac8888b39bf29a7fde

SHA512
299f1c35d3728e08d6b9d2339b87b489d0f79dab269185ce2a1e5dc128a75022f39abfcc076a0cbae9b0a96f144434e2a1e4993e16aa87d2ac5887d35ae96c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V881MODH\970x80[1].gif

Filesize
696KB

MD5
7182959945db438e3a38710bfd8cd1b7

SHA1
6f832a7d06374f8db73faf454dadde683e584451

SHA256
ef181136c0d2f54f2e375969fdb11d758bc53d8c89886109838176992360546f

SHA512
e3e984e074ea33a723951cf70efcd6248ffe5296fe9b4fdfa6a6e9c27905f8d9a2f782bb703140bca5d277ec065854b556e24ce176ee56d689c1d12cc7924ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bat

Filesize
1KB

MD5
90c75b8659294e166a60782eefc4f3bc

SHA1
97028e1233c09be6cefb6b3843dc477e56a98d56

SHA256
0c3e179547b62b770ab31f7cab5c3cbd3ac2019a3f467c6808763a125b500655

SHA512
7d33578c574f2f8b74a5379c616bd8e7cbcf4b1c65227c1a6e98287b6acf4edf259ffb4a68c0f39fe64b00ad3ce03be013acce5a11fbccea9a697fad13815b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9R5JPYJC.txt

Filesize
224B

MD5
b4816465af2baf4fada5cec57adc9bd1

SHA1
ed319baf4bfe6ed4c0d26f1b4d1a39b48c0a5627

SHA256
8d4a433144c20c187bb542ca024a6869867b5f2799534ae2a01607947bbdfda1

SHA512
c3abfb739969004b279b781ca8bc9f684dc4bc53ae4bb88fe0c00a602853cfef79f6ef495206c6dfcf870d1013971503a233ef410fb185340842d782fa0c484a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A46UYOPW.txt

Filesize
94B

MD5
da074c011eeeb333b9cfe59ea1645f10

SHA1
b033d221940fe62dc55eda52d338ad21889a7e60

SHA256
f49af834b77fcf86f4d05726796c912fb45846d61d526e0338443eb71effa297

SHA512
fe6fb8dc4f231335d85c5280ad5654ee60c11a75fe76e8b51fc95719a8119bb6d8e267e8562a05c053081aba0a818e36c3bd6e18648ffa42e89bb562c4b5d2ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HW3C4PI7.txt

Filesize
112B

MD5
594d835d0ce29418ffa421271b563116

SHA1
660600a2cb5cb83d3c430eccba2bcecc4e03ee77

SHA256
b957994890aca71c91459484c4f9d0c402a7db8804e9907e600fec30b9f2c22e

SHA512
71099ba525d4b2072a709510ae2de92ba7d62d37df0c86aa41a2a44a9a919ed40272ec253ed0f5340c75eb051f4a278c788d36c22a437fcc87f168f14b387f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UQVX8M48.txt

Filesize
224B

MD5
7746b3caee1fa6a4cf2c6c0ba01667be

SHA1
1ce71b57f1f803153fd178e88ea296f29355af78

SHA256
25a5b0d52ac02c7048dafefca3e4daaa4192d183ee0064f271015ad99ff2fe7a

SHA512
9d24e85690593933e4592e7699f9839e07fc4eeda543de260ed937e64f1fef47bd13a20d4db44954cdca7ad931a6d804d6dec6be1cf4a5172abd29f428fa4399

Download Submit
C:\progra~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\progra~1\kingsoft\kswebshield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\progra~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
C:\progra~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\PROGRA~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\PROGRA~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
memory/612-83-0x0000000000690000-0x0000000000700000-memory.dmp

Filesize
448KB

Download
memory/2020-92-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/2020-98-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/2020-87-0x0000000002240000-0x00000000022B0000-memory.dmp

Filesize
448KB

Download
memory/2020-54-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/2020-56-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download