joker | 1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Size

798KB
MD5

abec9291db0fd4f02cd0ed2ad1a4b7ef
SHA1

42594e521b500a78ad64e600abc4b5555f5ffa34
SHA256

1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db
SHA512

77b3c38246bf4fcd5bca9832bca3e08b1bf9fc380e668afaa9efa1ec9dfa77b4519df0f23bd4a8decab50528f43dcc6c6f0e5363da5af521ada737e921db1392
SSDEEP

24576:IPf1+qa9/TqHS/zuZy7o+oDIaEKKnCUgLcfqqxu+7r:FrdQZy7o+oD0KdxkuYr

Score

10^/10

joker bootkit infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 6 IoCs

pid	Process
1828	KSWebShield.exe
1476	KSWebShield.exe
1620	KSWebShield.exe
1772	KSWebShield.exe
1388	KSWebShield.exe
2016	KSWebShield.exe

Loads dropped DLL 20 IoCs

pid	Process
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1620	KSWebShield.exe
1620	KSWebShield.exe
1772	KSWebShield.exe
1772	KSWebShield.exe
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	KSWebShield.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\progra~1\ico\meiv.ico	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\ico\Video.ico	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\ico\Manhua.ico	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\kingsoft\KSWebShield.exe	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\ico\Film.ico	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\kingsoft\kwsui.dll	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\kingsoft\KSWebShield.dll	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\TheWorld 3\TheWorld.ini	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File opened for modification	C:\progra~1\Maxthon\Config\config.ini	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\ico\Beauty.ico	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\ico\Taobao.ico	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File opened for modification	C:\progra~1\Maxthon2\SharedAccount\Config\Config.ini	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File created	C:\progra~1\kingsoft\kwssp.dll	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	1400	WerFault.exe	23

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\yxtv6.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "378"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1A24071-3857-11ED-B559-F63187E7FFAB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7079a4c064ccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000001b0ce70cbddfc53f7319212a274d64933fb0b96a4dbcfdb18e11aae47420ef36000000000e80000000020000200000001f6fb6e5c3753f9b74c8c07a415266743257dfca6a6aadfe13b4ad7221b827cd20000000aabb7eee07b04c2eee9ed0664cdb08f9a7ab07ecc9304335c0435eb4436b1b1d40000000ef4cd6b88ba96f76264e51d8369c983c1c2b9d03244a91adf7d088e7e125d29dff10a2542c1fe70e9a0226e854242e9593e6e28bc2d6fc37b35516806d262f25	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\31166.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\31166.net\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000007c5d6879448f0ad993cc3bae65c545c0cf0babc64c8b1a91ca416fd9375713f1000000000e8000000002000020000000dd29fbf8e9691aac45a51890bdc0b3bffb16d0f458a1d8c64f8dec11be895b7990000000844ef58c29cd3f4e7b1162902ae47fac9c26df481086526963d9b36cdb2cdde18dd9edbb2c431d67db7b7ee5405662f8bdf2520b077f18eeddb2280ea97f5ebe5d206ab99a436c34e8a927254b65f7f3d94ebd919e4a42ac1242a99607c6b74569a20d54560e782b4ad74b589f2ae95521c4f04e109c622d0843a8f1c2bacc65f16c4ef89939ed85c198e2422a3bcadc40000000e3b3cc25d462f2a26637ee23142a2c6b145154f9186993b6da403534e320bdc30dafa9c6fe10282286fdb5c2f7c8b9cb21948605efe7642657489a0b59ff42a5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.31166.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\yxtv6.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.31166.net\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.31166.net\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\31166.net\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370383563"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecisionReason = "1"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecisionTime = f0d8efbd64ccd801	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecision = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecisionTime = f0d8efbd64ccd801	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecisionReason = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecision = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadNetworkName = "Network 2"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\76-03-fd-b3-6a-ca	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	KSWebShield.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2888	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeDebugPrivilege	1828	KSWebShield.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeDebugPrivilege	1476	KSWebShield.exe
Token: SeDebugPrivilege	1620	KSWebShield.exe
Token: 33	1620	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	1620	KSWebShield.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeDebugPrivilege	1388	KSWebShield.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeDebugPrivilege	2016	KSWebShield.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: SeIncBasePriorityPrivilege	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
Token: 33	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
816	iexplore.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
816	iexplore.exe
816	iexplore.exe
816	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
816	iexplore.exe
816	iexplore.exe
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1772	KSWebShield.exe
1772	KSWebShield.exe
816	iexplore.exe
816	iexplore.exe
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
816	iexplore.exe
816	iexplore.exe
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
816	iexplore.exe
816	iexplore.exe
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 816	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	29
PID 1048 wrote to memory of 816	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	29
PID 1048 wrote to memory of 816	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	29
PID 1048 wrote to memory of 816	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	29
PID 816 wrote to memory of 1740	816	iexplore.exe	30
PID 816 wrote to memory of 1740	816	iexplore.exe	30
PID 816 wrote to memory of 1740	816	iexplore.exe	30
PID 816 wrote to memory of 1740	816	iexplore.exe	30
PID 1048 wrote to memory of 1828	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	34
PID 1048 wrote to memory of 1828	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	34
PID 1048 wrote to memory of 1828	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	34
PID 1048 wrote to memory of 1828	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	34
PID 1048 wrote to memory of 1476	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	37
PID 1048 wrote to memory of 1476	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	37
PID 1048 wrote to memory of 1476	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	37
PID 1048 wrote to memory of 1476	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	37
PID 1620 wrote to memory of 1772	1620	KSWebShield.exe	39
PID 1620 wrote to memory of 1772	1620	KSWebShield.exe	39
PID 1620 wrote to memory of 1772	1620	KSWebShield.exe	39
PID 1620 wrote to memory of 1772	1620	KSWebShield.exe	39
PID 1048 wrote to memory of 1632	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	40
PID 1048 wrote to memory of 1632	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	40
PID 1048 wrote to memory of 1632	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	40
PID 1048 wrote to memory of 1632	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	40
PID 816 wrote to memory of 1216	816	iexplore.exe	41
PID 816 wrote to memory of 1216	816	iexplore.exe	41
PID 816 wrote to memory of 1216	816	iexplore.exe	41
PID 816 wrote to memory of 1216	816	iexplore.exe	41
PID 1048 wrote to memory of 1948	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	44
PID 1048 wrote to memory of 1948	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	44
PID 1048 wrote to memory of 1948	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	44
PID 1048 wrote to memory of 1948	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	44
PID 816 wrote to memory of 1180	816	iexplore.exe	45
PID 816 wrote to memory of 1180	816	iexplore.exe	45
PID 816 wrote to memory of 1180	816	iexplore.exe	45
PID 816 wrote to memory of 1180	816	iexplore.exe	45
PID 1048 wrote to memory of 2808	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	47
PID 1048 wrote to memory of 2808	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	47
PID 1048 wrote to memory of 2808	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	47
PID 1048 wrote to memory of 2808	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	47
PID 816 wrote to memory of 2976	816	iexplore.exe	49
PID 816 wrote to memory of 2976	816	iexplore.exe	49
PID 816 wrote to memory of 2976	816	iexplore.exe	49
PID 816 wrote to memory of 2976	816	iexplore.exe	49
PID 1048 wrote to memory of 2832	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	50
PID 1048 wrote to memory of 2832	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	50
PID 1048 wrote to memory of 2832	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	50
PID 1048 wrote to memory of 2832	1048	1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe	50
PID 2832 wrote to memory of 2888	2832	cmd.exe	52
PID 2832 wrote to memory of 2888	2832	cmd.exe	52
PID 2832 wrote to memory of 2888	2832	cmd.exe	52
PID 2832 wrote to memory of 2888	2832	cmd.exe	52
PID 2832 wrote to memory of 2204	2832	cmd.exe	54
PID 2832 wrote to memory of 2204	2832	cmd.exe	54
PID 2832 wrote to memory of 2204	2832	cmd.exe	54
PID 2832 wrote to memory of 2204	2832	cmd.exe	54
PID 2832 wrote to memory of 3044	2832	cmd.exe	55
PID 2832 wrote to memory of 3044	2832	cmd.exe	55
PID 2832 wrote to memory of 3044	2832	cmd.exe	55
PID 2832 wrote to memory of 3044	2832	cmd.exe	55
PID 2832 wrote to memory of 2944	2832	cmd.exe	56
PID 2832 wrote to memory of 2944	2832	cmd.exe	56
PID 2832 wrote to memory of 2944	2832	cmd.exe	56
PID 2832 wrote to memory of 2944	2832	cmd.exe	56

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
992	attrib.exe
2156	attrib.exe
2888	attrib.exe
2144	attrib.exe
984	attrib.exe
2872	attrib.exe
2176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe
"C:\Users\Admin\AppData\Local\Temp\1e96088fafe648ddc1450dbb629706ea99a48999f667e47f0d843f94bfbc24db.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v258.net/list/list16_1.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1740
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:275464 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1216
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:209947 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1180
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:865293 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2976
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -start
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.6626.net/?ukt-31
  2⤵
  PID:1632
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.31166.net/?uk-31
  2⤵
  PID:1948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj-31
  2⤵
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\lnk.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:f
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:f
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:f
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:f
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:f
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" /p everyone:f
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2144
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:984
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2872
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:992
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2156
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:R
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:R
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:R
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:R
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:R
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" /p everyone:R
    3⤵
    PID:2408

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Desktop
1⤵
- Drops file in Windows directory
PID:976

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Favorites
1⤵
- Drops file in Windows directory
PID:1312

C:\progra~1\kingsoft\KSWebShield.exe
C:\progra~1\kingsoft\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1772

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -install
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1400 -s 1128
1⤵
- Program crash
PID:3020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini

Filesize
89B

MD5
646a584da69d487790f51d4028f1395f

SHA1
bb9b557c14721dc6d0be8226ac227a5589b254a4

SHA256
178d67257f5c28acd5f3bcc46845c4760defa6bb380f6c3c6cd4df8fff664488

SHA512
96e2e4657b2e624516f22a7eb97d526da5422b557a9897c967a95b6992c71134659cda4b514177af852d6352d55ee346460b50dec991fe58d1c542e9e9b12d10

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
163B

MD5
45ca14e78bc5095930c292c307ede309

SHA1
54565f549a3db0c0052e4c64f8a24c1087526b3b

SHA256
9672f69f019f2b6a97b337e8e60b207849df2faa2d08e389ac6c4758205bc932

SHA512
1ac37b0577c0b4e27b254a3ff73648c8dd87f2c44cac6ebde4a5e7d790d40fc7a301137a49163c50bfe0beca5d5a37af8d3eb589d46a2f4f346b094e23a697e7

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
296B

MD5
b0099026477075fe9931d796484f441c

SHA1
e217d420612db37f6f1fad0fdc9bf453395bf30d

SHA256
29628a46156543378557694a7a28c247b3a7dd737ad535b4a635ba401de541b6

SHA512
8775d849751728eb1d0ac431e38566c71e860c935646704562f546f8c0631d44cb99500138fab070f19485599ff3ef108f90179e539cde154991251fb88677e4

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
546B

MD5
bcf43d21c1eed750b6307a643871c60d

SHA1
16cef753ee1bfc8830ea636c363e1b292cd31dce

SHA256
816f0c1100d26afd04fcc4a7a1d986740c8d06fbd108ce362d19e5bde4666f72

SHA512
bad0ec64b7769368bbe6b2be0dbe0f7a59b8f1a0123771a65b06233a3f3b75bdb0ea2ddcbfb5bb440178780e47ae386fb258c74a8888909a1c49eaa78fed0389

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
648B

MD5
fb2dfde847b81925b4b31ccf1c5052c0

SHA1
52ab95484ed1705cb4b1748bad5e4ec0d3665e27

SHA256
47f9e2685814e2903e7fcd61b43f32bbb2e2bbbcaeff872a0ad84115a4802d16

SHA512
4c35b1af843e246a31d9b8c843f03b3f929390b9f6ca7fdbea95e2c85485283b548eee0be4f7a06f70f811afa8cb4ff445d88ff00b4c7709aa676d2abe494506

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
748B

MD5
dec27b7f34860323a2bbc4c536a1976c

SHA1
ad149cb76be9a6d4699ad205429ccfc8a0b4faae

SHA256
1c9763ed3ece76ea60e31f4434b322410b3e5d2362ffb4d233092051511e5359

SHA512
afa1411723dd4953f1da50a34cae61f03bb80b836415dd8f4927b7fb3233c25fb9ca348cebaa0ffb71187dfd3d2453d749f7cdb80a4bb28c4e9121fcdd097709

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360safe.lnk

Filesize
1KB

MD5
b14acff1de0c70613027b89e9a529ba7

SHA1
58a2269130759e5b3aa2e3079843904c4061f02d

SHA256
c984bdae03d919d9215b37f3f7b2d96b63139f9e581105c504c0209f14168648

SHA512
5e8c6931f5e5def76bb2f990317ca1b1b416e860cfb7f92076d9c568f4e4bc28913bd12232e360947ff005cf8b5f44bb74e3c7365e490970ba28309261f83c44

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360sdo.lnk

Filesize
1KB

MD5
2d3a6f56e964f79538bd174cc3ea0e2d

SHA1
7ff5b41aefa3966eba7eecec76869ce087681b14

SHA256
f11ac96579974de63819d108a4ad171902838b2560443c93fe10605163949c98

SHA512
6591d2f2d7505266cee91985cd3a541768dd12c85654e807fc8db7124f9128bd92df0cdf5af2470b7d1714f79ee36fe923e7775ef2ab81050caa5dbec79222f7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\KSWebShield.lnk

Filesize
1KB

MD5
68ee6220bac095d08a48e5d4c8156228

SHA1
009014f6683e13820f29f18a4fd5e39cf959e807

SHA256
6eb529088425466b74392b002dd749a9d9237412133e7d4488734f56f97f66fb

SHA512
f46b309cc26a186193d045a4e0ea25543039857c0f3b256c532d9e1f47692d7ba8b49d07acf0ef56b3ee6fea070c3d265cc86ed882e8ae6f298350ad3626a905

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\½ðÉ½Íø¶Ü.lnk

Filesize
1KB

MD5
c050f25d422705a82ad4ad90c8873e87

SHA1
7e0ffcfb29e14c67799270a5053ddec3bf13b437

SHA256
718273a4ebdb55366aa31cb24914425001e952875bc6b165b56c1d4d4db1d85f

SHA512
d02170680315a03734dd4ba9f131a828808ac60be91b594977b9924158ce7797ffef1d39c17b02dbe0cf3e6f24f3dbbd5042d67c0e31b09276cba84d61005786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
ff4d2969ad700e9beecad6109e6e527c

SHA1
76e0162260f57e4db2dea5274d07cd879e7e04e9

SHA256
7ec9613fb353f39c84ff72b99c10926016a5b24ecf2824a4b5907ffccfada290

SHA512
f4090f81db7a9c8017195030671f1319875cb773425dd77b01c3c9c61fc5159dd2df829502fff7005c018572627742da81b142b3c76ec13e4db6444ed75c1cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
54915b7f481e70c76e882b657a25850a

SHA1
333a15dbd0710339245402f584c7b6f8cacf461d

SHA256
0c9baf9f6766cfe041d0a2444dcb97fca7d018d9e42f0825fc90e203f2724cb5

SHA512
a55dbb04a88797882f3b73b3e75f1680e821f02534149295d33a6ba985a6697281dd2e7cf11ea286998dae66efa56c25074b7f9fd8d304073b519245ac84e606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
61e7ba95403d91a6e5f9286e4d70bbf0

SHA1
2d23f133563185f63ea6f538891319d7ec816610

SHA256
0af63b41e2299eba0a57a5f5eae54c45d9425581de2c42d0172ae06b43d9692a

SHA512
53a1b411c67019413ead5ff0211e33271e4e82ad39719033d500b44417434ae9bcb3a533dc339550ec589a1b0c119e1793e980efa959d0fd327dd4cbe86217cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
c9a375d8579562c983e9d2821f4f8342

SHA1
2a329580a84bf3753902da812ceb64b93596e7cb

SHA256
c8f2933d24039f1b7bad7d6ee852537bc4bbb4b945e7de46d67c1485131980c0

SHA512
9c3b0f031a8bbc28b0256f6205de79ebf04b5d8417ca146bea6708bddf2a7b0d8fd8bb83c875f00a391e48823fd3fa623b0a4c673cba07738a726e7cc9689ca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
9ebcc91f93e29c7ee76e56711c17f562

SHA1
019282e2fdd61b96e7fba55b4885ccab1206c641

SHA256
380f019c4f5df9707b7ecb822f26d861f380ce6ab8893fbd14fec610a7cf5714

SHA512
a5e5b6e3520166fce9d515c932b9fe42ead28a09ee15edf7fd08d4eaaf1ea4647c1884609bc7b7b967363f7eeae4145f6a39f0f516fcb2b4849114b0879c10f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
7362cf2aa0ecf2677156097ec2a22a16

SHA1
f0af3fc83df811dab26393ad19f8d0e199a09b62

SHA256
defde7dde99857b9896471b4e11776c76acab80415ba01b3752d9924b5deb5e7

SHA512
951e6bb568cef28ba24f62d3645adad612bd6bcb24d4750f051315209409d1f8823264e455c682b31454b0a7c0530a548a97209ccc0c8626ce4000e72a5b5267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bca900c305468cea659b2f3a272b79c

SHA1
26500367ebc7c885688be847a101da293fc27ced

SHA256
00e68742785089e8774c101657c77e19a74d575342392e1a8344d19a17fc2dd2

SHA512
8a3251180d68f14cb40f7e0fdc28b98f85f40ec815e5b1cf760f88bf6b3f6e0a650d08772c2cfcba57737aaa0e1d7f8eb9adb6dbdedddf8b9ade9eaa03a11db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b3e3e032fe88d3074bcf8162f62c44f

SHA1
f9482a7ce9a84b84c65964c6db3b569aa0fbba93

SHA256
2a6207f013f626d2406a9d288ec33f634f7d63b4b78a43039dd70bc870bdc89a

SHA512
862208eeb25422c154b22c6049214e488ff6f84fe7a0d612321f4771e4d1ad64f6858aa337c7d07bcb0a9d0f0bcb7f3821eb9c7724691712ae555753f3ab34b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
8dac1761311dbc3797d0097a97eeebb5

SHA1
8ece19cb0dbbcfeecb997827008b1b2acf5f96de

SHA256
4f0c478bd7799d324740845fd53ac96f805b3a7e429edcaf0f928d40b005387c

SHA512
0ce902a5fd940c768e936e96dc30bec93b483e7ac5ce753b693df1cac62578cba07b23ebf7ab1c62a0736776a04610d6fee41d7b7268c0746d2868cfc9c0836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\095c2c70f1384c60bcd4604700459c73[1].gif

Filesize
254KB

MD5
88c037ff9c3e3a1796fbb31b53fc4fc6

SHA1
76d2d296f0949a35256cde6b193f6f8935e75377

SHA256
8459375e3af2855c687eca278d5ecb413556da31c2c3aeb5a1af90cef85b0659

SHA512
1dfd51c46ee30bc882069e0312aa898d4fdfe653613b95c2d9d5e36108c0777e3183019495562d40ffd5b1c68e3d0c06a61ffaa7ceab0605f53d622e23573f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\6cb226f219fa4e02b7b8e883e925bab1[1].gif

Filesize
479KB

MD5
12f48e3549c313b9d43138ccb5cfdff7

SHA1
16e970dd02bd8cf1ab8aa8c674d46f1cd5d65a4d

SHA256
f2f83642abd46506fda7246affcea4809bce990baa2556effa9127edf1538883

SHA512
ea4f3e816272406893bc47b1737bc52db967d5ae71c79db21548c79d9ca365a13077ad0d2862cd9b2d35c7a47e29cf10d8c437c253e9cd0e4b3cdee1643a3dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\bootstrap.min[1].css

Filesize
118KB

MD5
7f89537eaf606bff49f5cc1a7c24dbca

SHA1
b0972fdcce82fd583d4c2ccc3f2e3df7404a19d0

SHA256
6d92dfc1700fd38cd130ad818e23bc8aef697f815b2ea5face2b5dfad22f2e11

SHA512
0e8a7fbd6de23ad6b27ab95802a0a0915af6693af612bc304d83af445529ce5d95842309ca3405d10f538d45c8a3a261b8cff78b4bd512dd9effb4109a71d0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\bootstrap.min[1].js

Filesize
38KB

MD5
2f34b630ffe30ba2ff2b91e3f3c322a1

SHA1
b16fd8226bd6bfb08e568f1b1d0a21d60247cefb

SHA256
9ee2fcff6709e4d0d24b09ca0fc56aade12b4961ed9c43fd13b03248bfb57afe

SHA512
a014e9acc78d10a0a7a9fbaa29deac6ef17398542d9574b77b40bf446155d210fa43384757e3837da41b025998ebfab4b9b6f094033f9c226392b800df068bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\jquery.lazyload.min[1].js

Filesize
3KB

MD5
112c8d1b40b3e62e883c743e9d71e0bf

SHA1
338318e930487b2791a7bcf53ad4601630cc41e2

SHA256
ad79ce7e34d1a788809bb853031133de2ae45f3c19ac4955dae46c7490188c2e

SHA512
8cd0ed15feea814d1e1fff99e36146e1fc37c3b0ccffdcdb80d3dedf07c9942ca55434d3dc880a5b9afdd95cbd2076ba539d2fc8ccf981107222ee1821716d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\jquery.min[1].js

Filesize
94KB

MD5
4f252523d4af0b478c810c2547a63e19

SHA1
5a9dcfbef655a2668e78baebeaa8dc6f41d8dabb

SHA256
668b046d12db350ccba6728890476b3efee53b2f42dbb84743e5e9f1ae0cc404

SHA512
8c6b0c1fcde829ef5ab02a643959019d4ac30d3a7cc25f9a7640760fefff26d9713b84ab2e825d85b3b2b08150265a10143f82e05975accb10645efa26357479

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bat

Filesize
1KB

MD5
90c75b8659294e166a60782eefc4f3bc

SHA1
97028e1233c09be6cefb6b3843dc477e56a98d56

SHA256
0c3e179547b62b770ab31f7cab5c3cbd3ac2019a3f467c6808763a125b500655

SHA512
7d33578c574f2f8b74a5379c616bd8e7cbcf4b1c65227c1a6e98287b6acf4edf259ffb4a68c0f39fe64b00ad3ce03be013acce5a11fbccea9a697fad13815b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0OE7ZN1K.txt

Filesize
112B

MD5
80a4b1c29b2ecae35da062d0218bfeae

SHA1
7bc67f027e2be82aadc3b99e8123bd6668fb748d

SHA256
7055d949a2de5aa66226de2e274fa4d477887d1bce81bebe79a3a8ea09194156

SHA512
f8de70bec0cb46a46d46205b721c0a59ba8335766ba74efaad2b4b0cc5df0db8b50dea77133bdb81a26c6fff904b8baaa05dabdaa87a2afa7102098aac8ef073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7EMI3ZQA.txt

Filesize
94B

MD5
772a623e5131f96922da481b35114564

SHA1
c504420e525c1c1c58a562fba02222c6315410fd

SHA256
1a257b614ad142c9645c816a96b6e81d8b35daf989c7a74cb480cdd90c956084

SHA512
fbb60a9a19398736c117e2fb74b11739186e83e35e2b618350d01d299aae29527b6f1b0f095eaf28c1be7dc1c5cc4a4f5817d3691fc98e0b4165278ce2f2c38a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GWJEB1MB.txt

Filesize
115B

MD5
266b37d60b95af6252a502cd8222be6b

SHA1
522b9b944f683cd17db19eb9e782c46df729a360

SHA256
de008ddfcc358e27e28078b95ae62998f51505c3352d6dc032f355a9d352c696

SHA512
d0fb5e6844e1100ca7e2023102c86e25c5cd374ed0a12494139d2f1bad36d9fd8e49ad4832548d8737eaac06a2700fafcdf5fb1eec349cec6c3038cd13f51cc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UOYYQAH9.txt

Filesize
115B

MD5
dfb58f80d248cde5ff9ec4f8a5a78778

SHA1
7467db3cd91fbb0efe2c95c1180f76a0c7dcb11c

SHA256
42fb30d0bea6ceedf266f24d81de797df6f0a2ff2d1e8f35003bac2c5c494856

SHA512
23959ef40ed874154fab4bfe23513e03ca0a11997adc316c38b6ac331f7c12892167594d07cc34df0bb20ffd59180c4f077fe06bdd0d2e4075fc34fcec37634c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X6R4RHKC.txt

Filesize
224B

MD5
a78e80723aab9b2552a6e83f336c3481

SHA1
e4d08781cd38f48798f24e79176fc1149a228c07

SHA256
f1bcefac07b48da458fe0c6f55d47442e006a7530ccbeee775352a00f9643a36

SHA512
8995ee5ea99f1c03d0f35e565dbd070b734846960a27c02fa770afa6a81d1c4a25c433f8a03e84fc92540ae696c192fdc6e102d95045cca6e69dfca2fc99e9f3

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
3a93ae2666db59a22e7628b8cd8c0000

SHA1
482bfa6139559f1bb268bc4ec5060f2c5815bf2b

SHA256
098b28b05dc70ea956470b1f90a93b8f2700bd7147aa6f1bbb561bdc40fecfdb

SHA512
2111acf910d8916b408b748c499920fa09845375acc45702753c0ea5ccfe0ec9dac055c4068d21febc894ba2f2b40e4a1b0e7a73af0dfac4dea9633f04885b29

Download Submit
C:\progra~1\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\progra~1\kingsoft\kswebshield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\progra~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
C:\progra~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\??\c:\users\admin\appdata\local\temp\url.cab

Filesize
6KB

MD5
92801ccb1a2a91417e49f12c5f9bde40

SHA1
147640dd669957eb4e5ecdbe121ae0ffbaef9409

SHA256
69f0eee062ef1a20801278c2f031b6d6cd788234a478d5540220c0186b3379a8

SHA512
203f6557d04923d610503984b9ddbcf265f292525c6610ad2f0d566377c442751626780389a35d12b09c2b7a4363f04299a2a566eda04622e54f868adcd2adf5

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\PROGRA~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-57-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/1048-95-0x0000000003550000-0x00000000035C0000-memory.dmp

Filesize
448KB

Download
memory/1048-55-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/1048-90-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/1772-88-0x00000000002E0000-0x0000000000350000-memory.dmp

Filesize
448KB

Download