joker | 382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Size

764KB
MD5

88c4e1a1d9f9118acc9c3579e4f7b663
SHA1

b3aec4198939bfd6b351fb47a5c5698dc1a5cec1
SHA256

382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141
SHA512

71031a7c7c5669114594c8cbff0f518735bacdac61793a4d8875762dc5eac9c49239ff8fbc48d41743319227b8e10d5ea027b7a7bb90fd625a20aedb84c5afd5
SSDEEP

12288:lmxdDo+PWNKGA9MSTaTHM6Wxxn7Jn2saxb5R50WMPZqxG598/LWG10ayy4RJRSwF:lsh1PWEPaTTWxxn52sapSBR159iWG19g

Score

10^/10

joker discovery infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
540	KSWebShield.exe
2092	KSWebShield.exe
3516	KSWebShield.exe
4856	KSWebShield.exe
208	KSWebShield.exe
1624	KSWebShield.exe
3212	kele.exe
1464	GGExit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe

Loads dropped DLL 32 IoCs

pid	Process
3516	KSWebShield.exe
4856	KSWebShield.exe
4856	KSWebShield.exe
4856	KSWebShield.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
3212	kele.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
3212	kele.exe
3212	kele.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
3212	kele.exe
3212	kele.exe
3212	kele.exe
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	KSWebShield.exe
File created	C:\Windows\SysWOW64\safe.ico	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	KSWebShield.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	KSWebShield.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	KSWebShield.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\progra~1\Maxthon\Config\config.ini	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\Program Files\Kele55\GGPlayerInstaller.exe	kele.exe
File created	C:\progra~1\kingsoft\KSWebShield.dll	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\Program Files\Kele55\VideoEncode2.dll	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\data\HitEggs.swf	kele.exe
File created	C:\Program Files\Kele55\Skin\DefFace.bmp	kele.exe
File created	C:\progra~1\kingsoft\kwsui.dll	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\Program Files\Kele55\EncWmv.dll	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\Skin\VideoBack_4_3.bmp	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\Skin\worldBugleIcon.png	kele.exe
File created	C:\Program Files\Kele55\data\HTML\img\lock_cl.gif	kele.exe
File created	C:\Program Files\Kele55\ImageOle.dll	kele.exe
File created	C:\progra~1\ico\Film.ico	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\progra~1\ico\liaotian.ico	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\progra~1\kingsoft\KSWebShield.exe	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\progra~1\kingsoft\kwssp.dll	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\Program Files\Kele55\EquipCenter.dll	kele.exe
File created	C:\Program Files\Kele55\VideoDecode2.dll	kele.exe
File created	C:\Program Files\Kele55\gdiplus.dll	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\CapSreen.dll	kele.exe
File created	C:\Program Files\Kele55\Skin\MercurySkin.ggs	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\Config.ini	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\data\AudioEffect1.WAV	kele.exe
File created	C:\Program Files\Kele55\data\HTML\img\liebiao_di.gif	kele.exe
File created	C:\Program Files\Kele55\data\HTML\img\lock_cl.png	kele.exe
File created	C:\Program Files\Kele55\data\HTML\img\no_pic.jpg	kele.exe
File created	C:\Program Files\Kele55\uninst.exe	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\data\KingEnter.wav	kele.exe
File created	C:\Program Files\Kele55\AudioCodec3.dll	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\UIToolTip.dll	kele.exe
File created	C:\Program Files\Kele55\Skin\default_female.png	kele.exe
File opened for modification	C:\Program Files\Kele55\¿ÉÀÖÊÓÆµÉçÇø.url	kele.exe
File opened for modification	C:\progra~1\Maxthon2\SharedAccount\Config\Config.ini	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\Program Files\Kele55\ChatRoom\Skin\VideoBack_16_9.bmp	kele.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\Program Files\Kele55\data\Update.dat	kele.exe
File opened for modification	C:\progra~1\TheWorld 3\TheWorld.ini	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\Program Files\Kele55\ProcessCS.dll	kele.exe
File created	C:\Program Files\Kele55\Update.exe	kele.exe
File created	C:\Program Files\Kele55\Skin\MercuryEquipCenterSkin.ggs	kele.exe
File created	C:\Program Files\Kele55\data\HTML\img\lock_op.png	kele.exe
File created	C:\Program Files\Kele55\MFC71u.dll	kele.exe
File created	C:\Program Files\Kele55\data\common.dat	kele.exe
File created	C:\Program Files\Kele55\ResCenter.dll	kele.exe
File created	C:\Program Files\Kele55\UIToolTip.dll	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\Skin\Alarm.png	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\ChatRoomUI.dll	kele.exe
File created	C:\progra~1\ico\Beauty.ico	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File created	C:\Program Files\Kele55\ChatRoom\Skin\PrivteMic.bmp	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\data\QueenEnter.wav	kele.exe
File created	C:\Program Files\Kele55\AudioCodec2.dll	kele.exe
File created	C:\Program Files\Kele55\ChatRoom\Skin\DefFace.bmp	kele.exe
File created	C:\Program Files\Kele55\data\HTML\img\lock_op.gif	kele.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c09a4a7a-dd18-4e72-9b2e-2bbd987faa17.tmp	setup.exe
File created	C:\Program Files\Kele55\Config.ini	kele.exe
File created	C:\Program Files\Kele55\VideoCapture.dll	kele.exe
File created	C:\Program Files\Kele55\Skin\Alarm.png	kele.exe
File created	C:\Program Files\Kele55\Skin\default_male.png	kele.exe
File created	C:\progra~1\ico\meiv.ico	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\Program Files\Kele55\ChatRoom\Skin\PointToPoint.bmp	kele.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000022f6e-168.dat	nsis_installer_1
behavioral2/files/0x0007000000022f6e-168.dat	nsis_installer_2
behavioral2/files/0x0007000000022f6e-169.dat	nsis_installer_1
behavioral2/files/0x0007000000022f6e-169.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3686810819"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3748215733"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f4a2e176ccd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{04CE37D3-386A-11ED-AECB-520B3B914C01} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3686810819"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\779dh.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000416a7b73b7848a8db05ba5549cb6c6dc48385e94507b0c531c1edb74d9d87163000000000e8000000002000020000000d951427a04d16836349dc7a6772f56614e7119e5910f099990facd10f607ed7d20000000fe08f969824442c904fdf5623eaa8a5dd2dd51243f37b46354a251b172e2221f400000006582caa700e3673fd3134dca0f46451a495fe2f23a59ec5124af124c41f118d7d99a528b68ac7b77bda3c27dcdaac6f3c7ca41d024467b4819ff25a144d08ca4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000001cf3870e9b45fe6cf57cf466470d1f3a246ec881285e0eaf988099846497934f000000000e8000000002000020000000f08956032377edd6f9bdf627d4ee563f531bffc8afa3ed7fdab42c97643ee393200000005b83f814fba0b6e92201e1ac16934fa89c713c3cd8ef8b8f040d7d8f2ed133a240000000646f1b54a065aff625ab92071d05d22056b838b29357a833aa800c90a36a585c75df2ca39c07c6621077cc07bf908fdc7f65df763bc7de7f50f1e9953f7a5868	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370391338"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cdf3e476ccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\779dh.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.v258.net = "0"	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3842903183"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985334"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985334"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.779dh.com\ = "126"	IEXPLORE.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	KSWebShield.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\ToolboxBitmap32	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\ = "GifAnimator Class"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}\ProxyStubClsid32	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\InprocServer32	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\Control\	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\ = "GifAnimator Class"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C104B2ED-79DB-445D-B13C-65A8BDE47DF9}\TypeLib\Version = "1.0"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E1236F-2C87-4C63-AC75-290DB2E94448}\InprocServer32\ = "C:\\PROGRA~1\\Kele55\\CHATRO~1.OCX"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\Insertable	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID\ = "ImageOle.GifAnimator.1"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ = "C:\\Program Files\\Kele55\\ImageOle.dll"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version\ = "1.0"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\ProgID	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}\1.0\HELPDIR	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}\1.0\HELPDIR\ = "C:\\Program Files\\Kele55"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ThreadingModel = "Apartment"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}\TypeLib\ = "{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E1236F-2C87-4C63-AC75-290DB2E94448}\ = "ChatRoomOcx Property Page"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\Control	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kele55room\shell\open	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kele55room\shell	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID\ = "ImageOle.GifAnimator"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}\ = "_DChatRoomOcxEvents"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}\1.0	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}\1.0\ = "ChatRoomOcx ActiveX ¿Ø¼þÄ£¿é"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}\1.0\0\win32	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C104B2ED-79DB-445D-B13C-65A8BDE47DF9}\TypeLib\ = "{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\ = "ChatRoomOcx Control"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}\TypeLib\Version = "1.0"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\MiscStatus\1	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}\ = "_DChatRoomOcxEvents"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\Implemented Categories	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\TypeLib\ = "{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}"	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\Version\ = "3.0"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C104B2ED-79DB-445D-B13C-65A8BDE47DF9}	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C104B2ED-79DB-445D-B13C-65A8BDE47DF9}\ProxyStubClsid32	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}\TypeLib\ = "{74CE87F2-8D6C-43E7-880A-0FECDB716C8B}"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\InprocServer32\ = "C:\\PROGRA~1\\Kele55\\CHATRO~1.OCX"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32	kele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C104B2ED-79DB-445D-B13C-65A8BDE47DF9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE1E6174-2BB5-48C7-9413-B7D307A45A87}\TypeLib	kele.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DECF57E2-63D5-4A3B-8973-1E9153BA11A9}\Version	kele.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1996	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeDebugPrivilege	540	KSWebShield.exe
Token: SeDebugPrivilege	2092	KSWebShield.exe
Token: SeDebugPrivilege	3516	KSWebShield.exe
Token: 33	3516	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	3516	KSWebShield.exe
Token: SeDebugPrivilege	208	KSWebShield.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeDebugPrivilege	1624	KSWebShield.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: 33	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
Token: SeIncBasePriorityPrivilege	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
2124	iexplore.exe
2124	iexplore.exe
2124	iexplore.exe
904	msedge.exe
904	msedge.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
4856	KSWebShield.exe
4856	KSWebShield.exe
2124	iexplore.exe
2124	iexplore.exe
2124	iexplore.exe
2124	iexplore.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
2124	iexplore.exe
2124	iexplore.exe
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 540	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	83
PID 868 wrote to memory of 540	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	83
PID 868 wrote to memory of 540	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	83
PID 868 wrote to memory of 2092	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	86
PID 868 wrote to memory of 2092	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	86
PID 868 wrote to memory of 2092	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	86
PID 3516 wrote to memory of 4856	3516	KSWebShield.exe	91
PID 3516 wrote to memory of 4856	3516	KSWebShield.exe	91
PID 3516 wrote to memory of 4856	3516	KSWebShield.exe	91
PID 868 wrote to memory of 3212	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	93
PID 868 wrote to memory of 3212	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	93
PID 868 wrote to memory of 3212	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	93
PID 868 wrote to memory of 904	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	94
PID 868 wrote to memory of 904	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	94
PID 904 wrote to memory of 2812	904	msedge.exe	95
PID 904 wrote to memory of 2812	904	msedge.exe	95
PID 868 wrote to memory of 2124	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	96
PID 868 wrote to memory of 2124	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	96
PID 3212 wrote to memory of 1464	3212	kele.exe	97
PID 3212 wrote to memory of 1464	3212	kele.exe	97
PID 3212 wrote to memory of 1464	3212	kele.exe	97
PID 2124 wrote to memory of 1884	2124	iexplore.exe	98
PID 2124 wrote to memory of 1884	2124	iexplore.exe	98
PID 2124 wrote to memory of 1884	2124	iexplore.exe	98
PID 868 wrote to memory of 4120	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	101
PID 868 wrote to memory of 4120	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	101
PID 868 wrote to memory of 5088	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	102
PID 868 wrote to memory of 5088	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	102
PID 868 wrote to memory of 5088	868	382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe	102
PID 5088 wrote to memory of 1996	5088	cmd.exe	106
PID 5088 wrote to memory of 1996	5088	cmd.exe	106
PID 5088 wrote to memory of 1996	5088	cmd.exe	106
PID 5088 wrote to memory of 5028	5088	cmd.exe	108
PID 5088 wrote to memory of 5028	5088	cmd.exe	108
PID 5088 wrote to memory of 5028	5088	cmd.exe	108
PID 5088 wrote to memory of 1220	5088	cmd.exe	109
PID 5088 wrote to memory of 1220	5088	cmd.exe	109
PID 5088 wrote to memory of 1220	5088	cmd.exe	109
PID 5088 wrote to memory of 1076	5088	cmd.exe	110
PID 5088 wrote to memory of 1076	5088	cmd.exe	110
PID 5088 wrote to memory of 1076	5088	cmd.exe	110
PID 5088 wrote to memory of 2116	5088	cmd.exe	111
PID 5088 wrote to memory of 2116	5088	cmd.exe	111
PID 5088 wrote to memory of 2116	5088	cmd.exe	111
PID 5088 wrote to memory of 460	5088	cmd.exe	112
PID 5088 wrote to memory of 460	5088	cmd.exe	112
PID 5088 wrote to memory of 460	5088	cmd.exe	112
PID 5088 wrote to memory of 1644	5088	cmd.exe	113
PID 5088 wrote to memory of 1644	5088	cmd.exe	113
PID 5088 wrote to memory of 1644	5088	cmd.exe	113
PID 5088 wrote to memory of 748	5088	cmd.exe	115
PID 5088 wrote to memory of 748	5088	cmd.exe	115
PID 5088 wrote to memory of 748	5088	cmd.exe	115
PID 5088 wrote to memory of 3140	5088	cmd.exe	114
PID 5088 wrote to memory of 3140	5088	cmd.exe	114
PID 5088 wrote to memory of 3140	5088	cmd.exe	114
PID 5088 wrote to memory of 2032	5088	cmd.exe	116
PID 5088 wrote to memory of 2032	5088	cmd.exe	116
PID 5088 wrote to memory of 2032	5088	cmd.exe	116
PID 5088 wrote to memory of 4776	5088	cmd.exe	117
PID 5088 wrote to memory of 4776	5088	cmd.exe	117
PID 5088 wrote to memory of 4776	5088	cmd.exe	117
PID 5088 wrote to memory of 2344	5088	cmd.exe	118
PID 5088 wrote to memory of 2344	5088	cmd.exe	118

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4116	attrib.exe
2268	attrib.exe
1904	attrib.exe
3060	attrib.exe
4780	attrib.exe
4812	attrib.exe
4740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe
"C:\Users\Admin\AppData\Local\Temp\382877d2ea21925cfc3848ead8856e65cf5d35a02b798cd6911c6160bfdbb141.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -start
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\kele.exe
  C:\Users\Admin\AppData\Local\Temp\kele.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\GGExit.exe
    "C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\GGExit.exe" 5
    3⤵
    - Executes dropped EXE
    PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.v258.net/list/list16_1.html
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffddefe46f8,0x7ffddefe4708,0x7ffddefe4718
    3⤵
    PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 /prefetch:2
    3⤵
    PID:1352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2964 /prefetch:3
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3216 /prefetch:8
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
    3⤵
    PID:952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    PID:5264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 /prefetch:8
    3⤵
    PID:5468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:5520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:5536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:5708
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
    3⤵
    PID:5828
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff77b5e5460,0x7ff77b5e5470,0x7ff77b5e5480
      4⤵
      PID:5912
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
    3⤵
    PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2544,4641530202666370444,1903185860516361294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
    3⤵
    PID:5460
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.6626.net/?ukt-31
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1884
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:17412 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1312
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk-31
  2⤵
  - Modifies Internet Explorer settings
  PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lnk.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:f
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:f
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:f
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:f
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:f
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:f
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" +R +S
    3⤵
    - Views/modifies file attributes
    PID:4780
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:4812
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:4740
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:4116
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2268
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:R
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:R
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:R
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:R
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:R
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:R
    3⤵
    PID:3752
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj-31
  2⤵
  PID:3404

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Desktop
1⤵
- Drops file in Windows directory
PID:4776

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Favorites
1⤵
- Drops file in Windows directory
PID:1648

C:\progra~1\kingsoft\KSWebShield.exe
C:\progra~1\kingsoft\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4856

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -install
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini

Filesize
77B

MD5
92aa0dc819b12f81ddcc6287eb5f0a6f

SHA1
ab609024a66ef563e45edfa8cca46e87ba6c65da

SHA256
02212e6b564291213b34698b427d6d2eb01f35a196d418ade6fbfc3a20494783

SHA512
95fe036d4e7d8607d94dea8988f59c70b8b264c053ce57002bb79843e2f22e3fba440867df5349e5c88c44c6cf8d09bd323a9d5ed6ec0d9740f76bef1a132c76

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
202B

MD5
a1b611334e97c847a300d007851b89bb

SHA1
d49adb3c113d7227460cc2055e1ec9ba83d13fbf

SHA256
aebbaedb757b963334d36c9e90437ae851f581cba1b0317ef9f7dd62a8dce39e

SHA512
37a89928a27ab23749abd26496513f6f533e2ecaa81f485b16c7897c4a9c228181fd4f274b2f757d1bd7fa631508e75a6e70e770976c7a4229129ca483e25252

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
448B

MD5
6cd98edefa0a1e23bf60900af63341ec

SHA1
0a68d648e225360a9b03696c7bfc3366e16ec4c7

SHA256
314e24d8ccebc41782ba5bba03c776da7f0180c04c8f3ba381c3a01502a5d386

SHA512
83ed0b4e893e164d87ec98fd1b8a9897454f5583e6a613c58c40f4704fe95dd458d30b702936a98b6fbb2016021f08079b74e0ee61ecba3d4ba5114ce2aa6d88

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
546B

MD5
a61f3c72ffc0f2a8d3824296fc3729db

SHA1
cdbbb3f777b5d827a60eadcb425fa5057abc5bef

SHA256
1afe28ccd27495c6259a273b5c6d71d25be4d85ed7a6a54b5e874fbef295c391

SHA512
2f8eadcb18e8de4ef0571076997555e6329a32e4922821d18ac257ef5013c4ff20926303ec760d9a0e0be7aaaf02b9a9dd7f942d84ac5675b40ee4fcaae18c2b

Download Submit
C:\Program Files\Kele55\ChatRoomUI.ocx

Filesize
36KB

MD5
e416ffb2dfe547c0d3ff1d1960ad561f

SHA1
3863d1709510311bc9a79608407bc1f9958e14a1

SHA256
6c89aba1bd7b9e90dca26fccd3934d9f10e746dabb91ec1c3fae4e073d676d55

SHA512
0a8591cdd49f8053008ca3288f15992bfe5d106f7645f1c557e7e5beadea34e8f7c049828cb6a029dd47f518c67703e0326a1f67952bafa4ca6845828bc1a0a4

Download Submit
C:\Program Files\Kele55\ChatRoomUI.ocx

Filesize
36KB

MD5
e416ffb2dfe547c0d3ff1d1960ad561f

SHA1
3863d1709510311bc9a79608407bc1f9958e14a1

SHA256
6c89aba1bd7b9e90dca26fccd3934d9f10e746dabb91ec1c3fae4e073d676d55

SHA512
0a8591cdd49f8053008ca3288f15992bfe5d106f7645f1c557e7e5beadea34e8f7c049828cb6a029dd47f518c67703e0326a1f67952bafa4ca6845828bc1a0a4

Download Submit
C:\Program Files\Kele55\ImageOle.dll

Filesize
72KB

MD5
7da17dc2ce294bc6b5a3ea512178d5db

SHA1
6e08bc0c17375ca01264e7bad7ac437cf6e49b04

SHA256
3950bc2b1ad32e8cfcdecc44acff61383b14e6ec4daa4866ec0337f8787c1f86

SHA512
0885eef3823e37df9ec151add8dcab90408aeecfed9807e5ed920f6bc948de4b89ad0fe338989b09978810ed8c47c9c6b2fcd4e4eb2dc222a9cf668fba5f1d39

Download Submit
C:\Program Files\Kele55\MFC71u.dll

Filesize
1.0MB

MD5
7063bcac60346c7d30fafb54aa408a5a

SHA1
10ab5d78e84ffeb02226f8c2a3af10e04fe690e9

SHA256
496733e440f92ce6c83b35e1973f81923c964c14e1873118d7964a76c4e62398

SHA512
d4481327080b1e7ff457fdca1856c4e8a4015980884bab5b44f14d33ea1fd4b7038258424fb9843afd3a0a31b8f0d645891c0cc02a0c36146f111eae9ef19735

Download Submit
C:\Program Files\Kele55\MFC71u.dll

Filesize
1.0MB

MD5
7063bcac60346c7d30fafb54aa408a5a

SHA1
10ab5d78e84ffeb02226f8c2a3af10e04fe690e9

SHA256
496733e440f92ce6c83b35e1973f81923c964c14e1873118d7964a76c4e62398

SHA512
d4481327080b1e7ff457fdca1856c4e8a4015980884bab5b44f14d33ea1fd4b7038258424fb9843afd3a0a31b8f0d645891c0cc02a0c36146f111eae9ef19735

Download Submit
C:\Program Files\Kele55\msvcr71.dll

Filesize
348KB

MD5
e0fabf09d0e4e389acd7606359f4d47d

SHA1
780b9e18e8cf066d0aa57fc2e3485db24860e09d

SHA256
94e1eccf3d497bb0b5bf8bf79231d7ac70720ce8c51f5e14ec459d6a077b6a5a

SHA512
cee9e228b76a33f5dca82b796e3e42dccc0771677eb7979014e9a65ad1dce805656c5ceab37e689a002ad193cb5e9da168f75e305b993b561852dc4d851172be

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
648B

MD5
dcc15311757213319b1e3594ee591379

SHA1
44ac5b1ad23ab41a5e05a1bf0d531557a4a00287

SHA256
b7fea2586ea3911b8305dc6be843a8ba202ba8c87162429e0ee109cdad2dc456

SHA512
e0ce5d97eaaf5aa63a5bb2e2fbf13e0fa8c7d215ba3d3a9557f9f07a63c0c4402b9bb2bb7c9eab0cdc8e589d6fce180217c41bc798bac8b9f128004f601bf52c

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
748B

MD5
17f400907d09dd01c086be76b29a3ea7

SHA1
b0c1ad429be6d67dd5dd7e6fa43f85d9bf7ad0ba

SHA256
539e52d3e8c8704c22f73e89a48bc8b8a738950daf11b015b4538fd5f87ca30f

SHA512
694911ce464cf4307f2ae5476a3c046e77677c56f5bfa3e5b853a7f9752937be8d6910eea0343fdfea00c05ae72d6e4ce509104a1d58d26be6f0bbf693722b55

Download Submit
C:\Program Files\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
C:\Program Files\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\Program Files\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\Program Files\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\Program Files\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\Program Files\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\Program Files\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\Program Files\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360safe.lnk

Filesize
1KB

MD5
afdaa0f8fe68385a1462c04d643a9fb3

SHA1
0d74930cb813ba358966a6d2cdfc3bcb6485059b

SHA256
77a8e36c103868a6e72eda4645edf3a0d4b389bffabc94265edefcb81bf0c260

SHA512
1f5f5073f65e18503abf16e446985c22875d98b7653a0ce1c72796d4d0b75924eaebab2d4c76ddb6c9bbdebad9bccc47f5fa2220ed7a9a8dec6034109a31329f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360sdo.lnk

Filesize
1KB

MD5
e1479140e33c64045f391b3170eeb042

SHA1
4a901d047e16bd85e8fa938dd2dd546841eb659a

SHA256
c6d6a2c5ed72b6576b539a20733cad000bb3f80113fe8dc081cc9249f480ba0e

SHA512
6eb60904b7c7af1ed56fee719480a80dd08e988c0e4a57d9e55f7cc7c84369298391dfd1e9ddb4f02094956166d1d286cbb8f2f00db532c810b446faa04cc37d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\KSWebShield.lnk

Filesize
1KB

MD5
0d7e5f7d054e39af62e514a0ea337112

SHA1
40508682eb69328c1bfcbf5dba12dad705de6803

SHA256
7995773f7eae7d0c4607aadf5ded3744ef9b7b11f01a48f84e9b9a9d1a2c7c15

SHA512
39e1b8e2dd4fca3b4b376ff8cc9b8e87964b777418c345f0db6e523536198ae616b4f03328774a5215f446f8047eed8e8c6bb73685f0f23b8242498a0cf96e32

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\½ðÉ½Íø¶Ü.lnk

Filesize
1KB

MD5
2d6fb6f0b4ba8bcadfdd45a2dd4131b3

SHA1
95938b42bdaa011bb8196c1b89efaed3d1ca15be

SHA256
7a2e6a6fcbfc0642d717738fde2e30020d5aea380578e934521198acb05cb490

SHA512
0d3828e71f268d3af1cae5a4c57e33dac5391baf68d21c07ca7e74027bb2291bdd0744c7cdb717633519045966a8d61df418fea02edd9fd2df798db41cef1c4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
ff4d2969ad700e9beecad6109e6e527c

SHA1
76e0162260f57e4db2dea5274d07cd879e7e04e9

SHA256
7ec9613fb353f39c84ff72b99c10926016a5b24ecf2824a4b5907ffccfada290

SHA512
f4090f81db7a9c8017195030671f1319875cb773425dd77b01c3c9c61fc5159dd2df829502fff7005c018572627742da81b142b3c76ec13e4db6444ed75c1cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
25c328f8a0e14700e1d2bace17d7ae5a

SHA1
5832ce09815c2f205ded062257459f858c81f88c

SHA256
94a444485f0eaaca796718beccf11c1abdcbd397f60dde89d53ed01b7f456a26

SHA512
094e1e5ab93e9cde803f017927660fe2ac56d0e6e8245c28eab41066c3b48cd34330ec656d71417c55aff76b70142aae0ea807b9acf6ef4a71e06956ccd6aebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
698fa9328c35f282d8c0e2fc10645b02

SHA1
2d5e9d290dafb40390cc40aff29a0ad68b4158e6

SHA256
b77698610da9712f5bb1ea9657a44a0847d1c476617e149a4c56fa5b19d301f7

SHA512
a81128cd3fcfa9e85d440f8ce476cc19a2279f142f45cd03f8d712415af9c39d414458090bb1b1e9d1b9ff5527671d3552e3c7eb6f939c584d38637a46843b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kele.exe

Filesize
8.4MB

MD5
43d3fcc2577e7141d2451e57a506e49e

SHA1
d1eb93e86495bc7eaf94c333d41aa482ee060410

SHA256
75833e410c5d4478559d54782ea8df6023b4e171a135ea645f10f143140f2d80

SHA512
c51d6c87b080e38ea667b383092bd59956befce84b40a990d29e13d5a7be68948f6a7d4001759323e3cc7717a07a5362d2ec1b04010fa90a031db18ad4d6e730

Download Submit
C:\Users\Admin\AppData\Local\Temp\kele.exe

Filesize
8.4MB

MD5
43d3fcc2577e7141d2451e57a506e49e

SHA1
d1eb93e86495bc7eaf94c333d41aa482ee060410

SHA256
75833e410c5d4478559d54782ea8df6023b4e171a135ea645f10f143140f2d80

SHA512
c51d6c87b080e38ea667b383092bd59956befce84b40a990d29e13d5a7be68948f6a7d4001759323e3cc7717a07a5362d2ec1b04010fa90a031db18ad4d6e730

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bat

Filesize
1KB

MD5
7224ccf9d4354e76d4b5e8b57d5dab17

SHA1
2a910ce03a6b7cfb09c220d85577258cb3ef3a7d

SHA256
76487df756feb13baa1af6c7b09041beb7c80115547796e126a4da2bf867a6df

SHA512
f601bc1148f38a8cbf72cd8e983326a673ffd8c4d69f413abeeba869f29ac7097eb3613cc2303a1c08c4d6fa2a694ac193d416fea41c48316e82c7f51b57e57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\GGExit.exe

Filesize
56KB

MD5
fea0154cae761242bbfeca2355165783

SHA1
10207257da49ab8b8957184f3029d45a81388012

SHA256
2526158697ac198ccb0d78dcfb8c23a2311fda0a425e252b28bb0af51dd36edd

SHA512
eb500843daeae9daba806ef96de0ade8f8efac0595911db1fab1d4d14c40acf641a2d9e6152536e83ba1c62e57de39fbb5bd744f649cab1a681f5cb4b9d55b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\GGExit.exe

Filesize
56KB

MD5
fea0154cae761242bbfeca2355165783

SHA1
10207257da49ab8b8957184f3029d45a81388012

SHA256
2526158697ac198ccb0d78dcfb8c23a2311fda0a425e252b28bb0af51dd36edd

SHA512
eb500843daeae9daba806ef96de0ade8f8efac0595911db1fab1d4d14c40acf641a2d9e6152536e83ba1c62e57de39fbb5bd744f649cab1a681f5cb4b9d55b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\SkinBtn.dll

Filesize
4KB

MD5
e4ec95271ff1bcebab49bdfed6817a22

SHA1
2c03e97f4773aea80ecdb98a1482e5896fe4677b

SHA256
ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6

SHA512
771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\SkinBtn.dll

Filesize
4KB

MD5
e4ec95271ff1bcebab49bdfed6817a22

SHA1
2c03e97f4773aea80ecdb98a1482e5896fe4677b

SHA256
ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6

SHA512
771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\System.dll

Filesize
10KB

MD5
2b54369538b0fb45e1bb9f49f71ce2db

SHA1
c20df42fda5854329e23826ba8f2015f506f7b92

SHA256
761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f

SHA512
25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\System.dll

Filesize
10KB

MD5
2b54369538b0fb45e1bb9f49f71ce2db

SHA1
c20df42fda5854329e23826ba8f2015f506f7b92

SHA256
761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f

SHA512
25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\WndSubclass.dll

Filesize
4KB

MD5
0a0218f11d82cdcc4f50de8edd58f3ca

SHA1
ba387579a8ddd175811c762902a9bf3a51ba9fd2

SHA256
938e4ae758aebc6f1609aab9f8d068689fba91c6f3bf5bb46e4df575616fcd29

SHA512
46742bc09b5199ac16fb2753a4b1584fa1b39d497869719e297574dfbfe4a0aa86ba7c6b77ef38e5e27734005c9d15036c52a577b08cfdfa104daae2ee756a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\WndSubclass.dll

Filesize
4KB

MD5
0a0218f11d82cdcc4f50de8edd58f3ca

SHA1
ba387579a8ddd175811c762902a9bf3a51ba9fd2

SHA256
938e4ae758aebc6f1609aab9f8d068689fba91c6f3bf5bb46e4df575616fcd29

SHA512
46742bc09b5199ac16fb2753a4b1584fa1b39d497869719e297574dfbfe4a0aa86ba7c6b77ef38e5e27734005c9d15036c52a577b08cfdfa104daae2ee756a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\nsDialogs.dll

Filesize
9KB

MD5
c6284e23cd7e4d11db8298deb4541083

SHA1
e338686c7579620383ab8cc5a51bbb8d846f60cf

SHA256
79914940cbbf70a385f13a9970a9d577d7a7e07d240fe44563b45a472cd4bc3f

SHA512
72103e470d770fb402a18e975ff339526a3e4c9aeb8fac1b0977995a6eace0eca965b1915404df9b5a25b59628db1b199d2b9b10372841309c137054356a5cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDBFF.tmp\nsDialogs.dll

Filesize
9KB

MD5
c6284e23cd7e4d11db8298deb4541083

SHA1
e338686c7579620383ab8cc5a51bbb8d846f60cf

SHA256
79914940cbbf70a385f13a9970a9d577d7a7e07d240fe44563b45a472cd4bc3f

SHA512
72103e470d770fb402a18e975ff339526a3e4c9aeb8fac1b0977995a6eace0eca965b1915404df9b5a25b59628db1b199d2b9b10372841309c137054356a5cd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\¿ÉÀÖÊÓÆµÉçÇø.lnk

Filesize
856B

MD5
0b5836842a957a81194d1cc3e544f844

SHA1
53ad5817237854712501fe0b867d40670b93e8cd

SHA256
7a71ac8c9f3d47ea12c2e81c170bdcfaf4944dbc5301be43e3aeff7f2eca5c09

SHA512
584f85e5ad2c36362bab858b5daa8f3ac7678f72d36b4ac28e410d369efbfaf1f3edb9732e811f1bad191d6d02acff9848ac3da15786700657cb5362fc36335d

Download Submit
C:\Users\Admin\Desktop\¿ÉÀÖÊÓÆµÉçÇø.lnk

Filesize
832B

MD5
8f2fdc8df3ceb2402fcdf875826d98b8

SHA1
91affc6c05115eb2b6ca27d1fb543944a573d020

SHA256
26bb723dfe58a357b5e3dfa0e36090eaabe3407faae956982c97368201db1535

SHA512
38bd1f614b2d45b03620792a9749dc4536ae2af37b942a00553bb77054140c05c33ef90a7943b61c0ce18e4fbf9dceeac52d59247f2f38db6ed950f9995d8874

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
169KB

MD5
6e557c8ef97e867ad7cb860e982c0565

SHA1
8682d80b9cae212e966e5e398b8c8bb039778293

SHA256
3364540e159cacc22a9b14d5b9febce7fd71fe23edc2ca6c88dfce6f9fe1d771

SHA512
3bf3bfa09e65a2244f95dd7ec3c7572b57b3311fb8ff60770ec2b54686505071e741f40eb073eb41ed8f07c0c38caf305ea7018052db19c2d894449d56432ac5

Download Submit
C:\progra~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\progra~1\kingsoft\kswebshield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\progra~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
C:\progra~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\??\c:\users\admin\appdata\local\temp\url.cab

Filesize
6KB

MD5
a850198c5a2a745131584d535fd8b1f1

SHA1
cc9e4398441b0960c8af687bc2c590ac2020f1f2

SHA256
3bb4f7b8125ee3adf9e8dcbe705335e54f09402367d174d466e1ae0249c95d09

SHA512
4680dd5c181d29bbbbce98c740d13bcc935b6d0aa603789936dae9c1df4e70bf5e8db7f246522505c9f85bd67caddec0047a88b8b52d3213c7ebe66c460ac4e1

Download Submit
memory/868-134-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/868-135-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/868-132-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/868-133-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/868-163-0x0000000005E80000-0x0000000005EF0000-memory.dmp

Filesize
448KB

Download
memory/3212-202-0x0000000006C31000-0x0000000006D0B000-memory.dmp

Filesize
872KB

Download
memory/3212-201-0x0000000006C30000-0x0000000006D32000-memory.dmp

Filesize
1.0MB

Download
memory/3212-195-0x00000000067B1000-0x00000000067B4000-memory.dmp

Filesize
12KB

Download
memory/3212-186-0x0000000006741000-0x0000000006743000-memory.dmp

Filesize
8KB

Download
memory/3212-173-0x0000000002100000-0x0000000002170000-memory.dmp

Filesize
448KB

Download
memory/3212-189-0x0000000006751000-0x0000000006753000-memory.dmp

Filesize
8KB

Download
memory/4856-156-0x00000000020C0000-0x0000000002130000-memory.dmp

Filesize
448KB

Download