307b3a1fbd441e54934284c21e0db78b5ec417e9f0e1c3bfa45dcca94196261e

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25bd57a1034c3e7b57846255aa285077.exe
Size

899KB
MD5

25bd57a1034c3e7b57846255aa285077
SHA1

6918a5793d54906c3c120dc9d348c7d72b249423
SHA256

307b3a1fbd441e54934284c21e0db78b5ec417e9f0e1c3bfa45dcca94196261e
SHA512

7cc0695a626887ce7d752e1df44a84d329f0d90f11e7b3ee84dc2f1d3dd47a2f54bf24f356dccd378e2e9b37790294d860ed2822dfc409dd2bafaa44c232575f
SSDEEP

24576:2Ms1/QkXzu4zzB6fJ2dM3snVAFQf3w7yKS:rcokXzu4XBCoe3sV9Gyf

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2008	KSWebShield.exe
376	KSWebShield.exe
2096	KSWebShield.exe
1964	KSWebShield.exe
2240	KSWebShield.exe
2980	KSWebShield.exe

Loads dropped DLL 18 IoCs

pid	Process
2936	WScript.exe
2596	WScript.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2096	KSWebShield.exe
2096	KSWebShield.exe
2980	KSWebShield.exe
2980	KSWebShield.exe
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
2428	25bd57a1034c3e7b57846255aa285077.exe
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
2428	25bd57a1034c3e7b57846255aa285077.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	25bd57a1034c3e7b57846255aa285077.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	25bd57a1034c3e7b57846255aa285077.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	KSWebShield.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\kingsoft\kwssp.dll	25bd57a1034c3e7b57846255aa285077.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\kingsoft\KSWebShield.dll	25bd57a1034c3e7b57846255aa285077.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\TheWorld 3\TheWorld.ini	25bd57a1034c3e7b57846255aa285077.exe
File opened for modification	C:\progra~1\Maxthon\Config\config.ini	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\ico\Video.ico	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\ico\Chat.ico	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\kingsoft\KSWebShield.exe	25bd57a1034c3e7b57846255aa285077.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\Maxthon2\SharedAccount\Config\Config.ini	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\ico\Film.ico	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\ico\Taobao.ico	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\kingsoft\kwsui.dll	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\ico\Beauty.ico	25bd57a1034c3e7b57846255aa285077.exe
File created	C:\progra~1\ico\meiv.ico	25bd57a1034c3e7b57846255aa285077.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.v258.net = "0"	25bd57a1034c3e7b57846255aa285077.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd7691733418900000000020000000000106600000001000020000000bf4d7770965ee62d5ef9f86d3407ecc945a03ddb2806adce7d42217fa667d9d7000000000e8000000002000020000000cbb7df4f1e7fff20ddec3dd2adc50c2e4ba3ca7657b1777f70eb975509b9f10f20000000a9e0d2662ae1c1f78d31575316bde2062b844038737f5f2ce44b82bb5467811240000000fc7fdb75b232f111eb61f7145fd29e198b04c014aa517f49e6855e8f2c04591548129b2fd6b1d72bd9976fecc56ff23f75f6acb3556172655c311917019e2bec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3CDAD511-A90F-11EE-975F-42DF7B237CB2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36E503B1-A90F-11EE-975F-42DF7B237CB2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	25bd57a1034c3e7b57846255aa285077.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2BB6E0E-4C3D-413A-970C-37038C1F597B}\WpadDecision = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2BB6E0E-4C3D-413A-970C-37038C1F597B}\WpadDecisionTime = f0f72c0b1c3dda01	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6b-70-21-82-bb	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6b-70-21-82-bb\WpadDecisionTime = d0cea6071c3dda01	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6b-70-21-82-bb\WpadDecision = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2BB6E0E-4C3D-413A-970C-37038C1F597B}\WpadDecisionTime = d0cea6071c3dda01	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6b-70-21-82-bb\WpadDecisionReason = "1"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2BB6E0E-4C3D-413A-970C-37038C1F597B}\WpadDecisionReason = "1"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2BB6E0E-4C3D-413A-970C-37038C1F597B}\1a-6b-70-21-82-bb	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2BB6E0E-4C3D-413A-970C-37038C1F597B}	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2BB6E0E-4C3D-413A-970C-37038C1F597B}\WpadNetworkName = "Network 3"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6b-70-21-82-bb\WpadDetectedUrl	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6b-70-21-82-bb\WpadDecisionTime = f0f72c0b1c3dda01	KSWebShield.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
636	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeDebugPrivilege	2008	KSWebShield.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: SeIncBasePriorityPrivilege	2428	25bd57a1034c3e7b57846255aa285077.exe
Token: 33	2428	25bd57a1034c3e7b57846255aa285077.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2936	WScript.exe
2596	WScript.exe
2568	WScript.exe
2124	WScript.exe
2168	iexplore.exe
1364	iexplore.exe
2168	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2936	WScript.exe
2596	WScript.exe
2568	WScript.exe
2124	WScript.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2428	25bd57a1034c3e7b57846255aa285077.exe
2428	25bd57a1034c3e7b57846255aa285077.exe
2168	iexplore.exe
2168	iexplore.exe
1364	iexplore.exe
1364	iexplore.exe
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
2168	iexplore.exe
2168	iexplore.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2980	KSWebShield.exe
2980	KSWebShield.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2936	2428	25bd57a1034c3e7b57846255aa285077.exe	28
PID 2428 wrote to memory of 2936	2428	25bd57a1034c3e7b57846255aa285077.exe	28
PID 2428 wrote to memory of 2936	2428	25bd57a1034c3e7b57846255aa285077.exe	28
PID 2428 wrote to memory of 2936	2428	25bd57a1034c3e7b57846255aa285077.exe	28
PID 2428 wrote to memory of 2596	2428	25bd57a1034c3e7b57846255aa285077.exe	29
PID 2428 wrote to memory of 2596	2428	25bd57a1034c3e7b57846255aa285077.exe	29
PID 2428 wrote to memory of 2596	2428	25bd57a1034c3e7b57846255aa285077.exe	29
PID 2428 wrote to memory of 2596	2428	25bd57a1034c3e7b57846255aa285077.exe	29
PID 2428 wrote to memory of 2568	2428	25bd57a1034c3e7b57846255aa285077.exe	30
PID 2428 wrote to memory of 2568	2428	25bd57a1034c3e7b57846255aa285077.exe	30
PID 2428 wrote to memory of 2568	2428	25bd57a1034c3e7b57846255aa285077.exe	30
PID 2428 wrote to memory of 2568	2428	25bd57a1034c3e7b57846255aa285077.exe	30
PID 2428 wrote to memory of 2124	2428	25bd57a1034c3e7b57846255aa285077.exe	31
PID 2428 wrote to memory of 2124	2428	25bd57a1034c3e7b57846255aa285077.exe	31
PID 2428 wrote to memory of 2124	2428	25bd57a1034c3e7b57846255aa285077.exe	31
PID 2428 wrote to memory of 2124	2428	25bd57a1034c3e7b57846255aa285077.exe	31
PID 2428 wrote to memory of 2008	2428	25bd57a1034c3e7b57846255aa285077.exe	35
PID 2428 wrote to memory of 2008	2428	25bd57a1034c3e7b57846255aa285077.exe	35
PID 2428 wrote to memory of 2008	2428	25bd57a1034c3e7b57846255aa285077.exe	35
PID 2428 wrote to memory of 2008	2428	25bd57a1034c3e7b57846255aa285077.exe	35
PID 2428 wrote to memory of 2168	2428	25bd57a1034c3e7b57846255aa285077.exe	40
PID 2428 wrote to memory of 2168	2428	25bd57a1034c3e7b57846255aa285077.exe	40
PID 2428 wrote to memory of 2168	2428	25bd57a1034c3e7b57846255aa285077.exe	40
PID 2428 wrote to memory of 2168	2428	25bd57a1034c3e7b57846255aa285077.exe	40
PID 2168 wrote to memory of 2476	2168	iexplore.exe	41
PID 2168 wrote to memory of 2476	2168	iexplore.exe	41
PID 2168 wrote to memory of 2476	2168	iexplore.exe	41
PID 2168 wrote to memory of 2476	2168	iexplore.exe	41
PID 2428 wrote to memory of 1364	2428	25bd57a1034c3e7b57846255aa285077.exe	44
PID 2428 wrote to memory of 1364	2428	25bd57a1034c3e7b57846255aa285077.exe	44
PID 2428 wrote to memory of 1364	2428	25bd57a1034c3e7b57846255aa285077.exe	44
PID 2428 wrote to memory of 1364	2428	25bd57a1034c3e7b57846255aa285077.exe	44
PID 2428 wrote to memory of 376	2428	25bd57a1034c3e7b57846255aa285077.exe	45
PID 2428 wrote to memory of 376	2428	25bd57a1034c3e7b57846255aa285077.exe	45
PID 2428 wrote to memory of 376	2428	25bd57a1034c3e7b57846255aa285077.exe	45
PID 2428 wrote to memory of 376	2428	25bd57a1034c3e7b57846255aa285077.exe	45
PID 1364 wrote to memory of 1636	1364	iexplore.exe	47
PID 1364 wrote to memory of 1636	1364	iexplore.exe	47
PID 1364 wrote to memory of 1636	1364	iexplore.exe	47
PID 1364 wrote to memory of 1636	1364	iexplore.exe	47
PID 2428 wrote to memory of 2576	2428	25bd57a1034c3e7b57846255aa285077.exe	51
PID 2428 wrote to memory of 2576	2428	25bd57a1034c3e7b57846255aa285077.exe	51
PID 2428 wrote to memory of 2576	2428	25bd57a1034c3e7b57846255aa285077.exe	51
PID 2428 wrote to memory of 2576	2428	25bd57a1034c3e7b57846255aa285077.exe	51
PID 2168 wrote to memory of 2736	2168	iexplore.exe	52
PID 2168 wrote to memory of 2736	2168	iexplore.exe	52
PID 2168 wrote to memory of 2736	2168	iexplore.exe	52
PID 2168 wrote to memory of 2736	2168	iexplore.exe	52
PID 2096 wrote to memory of 2980	2096	KSWebShield.exe	54
PID 2096 wrote to memory of 2980	2096	KSWebShield.exe	54
PID 2096 wrote to memory of 2980	2096	KSWebShield.exe	54
PID 2096 wrote to memory of 2980	2096	KSWebShield.exe	54
PID 2428 wrote to memory of 2840	2428	25bd57a1034c3e7b57846255aa285077.exe	56
PID 2428 wrote to memory of 2840	2428	25bd57a1034c3e7b57846255aa285077.exe	56
PID 2428 wrote to memory of 2840	2428	25bd57a1034c3e7b57846255aa285077.exe	56
PID 2428 wrote to memory of 2840	2428	25bd57a1034c3e7b57846255aa285077.exe	56
PID 2840 wrote to memory of 636	2840	cmd.exe	58
PID 2840 wrote to memory of 636	2840	cmd.exe	58
PID 2840 wrote to memory of 636	2840	cmd.exe	58
PID 2840 wrote to memory of 636	2840	cmd.exe	58
PID 2840 wrote to memory of 2668	2840	cmd.exe	59
PID 2840 wrote to memory of 2668	2840	cmd.exe	59
PID 2840 wrote to memory of 2668	2840	cmd.exe	59
PID 2840 wrote to memory of 2668	2840	cmd.exe	59

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1092	attrib.exe
1100	attrib.exe
2896	attrib.exe
1704	attrib.exe
1620	attrib.exe
1628	attrib.exe
2148	attrib.exe

C:\Users\Admin\AppData\Local\Temp\25bd57a1034c3e7b57846255aa285077.exe
"C:\Users\Admin\AppData\Local\Temp\25bd57a1034c3e7b57846255aa285077.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\CYWT1.vbs
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2936
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\YgvuC.vbs
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2596
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\7AdK8.vbs
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2568
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\1k3ee.vbs
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2124
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.6626.net/?ukt-31
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2476
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:537601 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2736
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.31166.net/?uk-31
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1636
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -start
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:376
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj-31
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\lnk.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:f
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:f
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:f
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:f
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:f
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:f
    3⤵
    PID:696
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1620
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1628
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2148
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1092
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2896
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:R
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:R
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:R
    3⤵
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:R
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:R
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:R
    3⤵
    PID:1344

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Desktop"
1⤵
- Drops file in Windows directory
PID:2912

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Favorites"
1⤵
- Drops file in Windows directory
PID:2484

C:\progra~1\kingsoft\KSWebShield.exe
C:\progra~1\kingsoft\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2096
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2980

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -install
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1964

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini

Filesize
89B

MD5
c7dc6e76053d0c73aa6bdd6a2c787e06

SHA1
1308d64499bbc429998217ae4c71933233d75310

SHA256
9bacc21f3093e9cf751447eb89f354d42ab2742ebb875de5363c04f17e368e06

SHA512
617bd7adf20bd7757d4d322275d881cdd287fd292d90324d513c48150b29db93bffb7913b8d58df8854b6941540443271aeaeaa1a65672e168d0eda20aed30a1

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
748B

MD5
64bcc455bb8e235dbc36526a90b00741

SHA1
8ca2a1527a290c92e61f7efe2c0df29d85007a2b

SHA256
9c4c966a7c26079b79cde81703c35aaf042184ba278c9d4f2671e004af281c9f

SHA512
aa4006687308055d2e61edbb2915024c14cb6f9676adfba5852694d580d81e0f324f2ae97d571678b107398ede91bec0fe98f91208003eddfb6eec144c16a5f2

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
296B

MD5
8de8afe8bd273641188d6be7bc0fb35b

SHA1
4d337b4aa4ecddcf2bfabe75f4f7195e9cb287ce

SHA256
e3d20e36ca732862c8c8ecfc79c4e39fe8a30f5ca62e3b86d538710363554339

SHA512
583497c0e5c00b0cbc6cfdac8c90cdb011755e7570ba16634791ff7866ec6a6f58351d1a24fff7772647166abe0cc45648f299b042288f4bb681ac360919addf

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
550B

MD5
43fbe7f6ea3a52fdebfdf1eaa943bb3f

SHA1
3372b0c8c8b8546b86bfa3e6effa675faedc9cc6

SHA256
7e76f276dd955196d344dc26163790fcfbe7241455e4efff5b0358dfa0fc5234

SHA512
3baf9e11fb5674720bbf2cae78ca5a11741316368be82591b31cd395507c8c519904f6e7a4e97b45b5518acd837fa670e69980600474663cb5be3f4eabd41587

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
650B

MD5
95ce3047f391dae98456adb48f9c4754

SHA1
623274180d2540d5e2c7095bdff2b8fb87bc5232

SHA256
f52401851353739395159fd9490c346f01692986f74acc3a8901cafaff542380

SHA512
8ca0c74d3cb3c8018fac6077ed341017aab5bf9837243e8e8de9dfb19ca5d4e5a50eae20fc494202ba804edbf009b86cd023e0271d3a140ab5eee2ef00a30336

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360safe.lnk

Filesize
1KB

MD5
23c9e47a888753e55cb206e9203113a0

SHA1
25836f2514f7516b5c58d2f625b9d865e6504c00

SHA256
51fe7d75c6b283e11b81ecdd34bd48c69457ce6cbe927d030e087ecd956a46b7

SHA512
6fd64daca5265bdd994b9695fceafa535db4c976c6a70319d8503e991607be3bda485d5b6a09b99a122ecae9577292991e30b39a20364f009558db65a8e59fc6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360sdo.lnk

Filesize
1KB

MD5
4f1717784dfca0a6e09ebf16c5f14e89

SHA1
e16db66d8cc17fb07e71b806ebc49e6d3edc3b8d

SHA256
c05985010af3a2d7725fe6544cdcc33edbf22200a49abbf51b376adfc7e58c52

SHA512
924a68c8ac7a0e292dff920ca03de1465debb5621a09f45db4fef1cbcac8e0ebe991052e6e818b9173fb1a6913489f08210fe5977bcaf63aa27750a7aae7bc1c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\KSWebShield.lnk

Filesize
1KB

MD5
bef95eeca8df61cb52438417e00d9640

SHA1
fe507d3cc607c2243c0918da5b4380dd2eb6ab1f

SHA256
5e7cf7ec87f101603bcb0bf598423b8d2bc0308acd2b6a258ec00aaab2e43c8c

SHA512
779d111738fbe4256ed54307d305f7f71cd144e162389deab9b638098060f4bd1cdf2c8e7a29632f3e2f66d919f1a6accea5993fa9537eb6ff5eb8ef0de5ba13

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\½ðÉ½Íø¶Ü.lnk

Filesize
1KB

MD5
f8616b8fc2ecb03d42d838ffc8a11242

SHA1
07518e8637fec5ccd47021a656a244b525f8eb40

SHA256
ebcbacd2f34f2856bf38b8ffdac8211d0c6587d05e21491e477c671849635865

SHA512
a54b44d778b87dd87ee6657cd3419604e6d52e65157fd3497c9dce64f2a8dad565627a9f6bc7b878136e8b967b16b3e70984975c130e0e48b8f8677ea1d87000

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
57B

MD5
9432fbbefdd0acb012b82b8ec337bdc2

SHA1
4c50b47d5a9b3570c92df75d8faa02961104ae07

SHA256
265957b9ba981f22ca6a48220f4f5e6f651269cec1c411f7d615ed23fcd48bc8

SHA512
0828151fc89646b45b3d0518bccee7917cd664dab687e4c011e74133482f77c02ee63492f6831cc8e00887a0ad345ee2a163f596339a3676c4836eb53334f475

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
77B

MD5
a1090bb2ca0fbdf6da1dc9db566a95e1

SHA1
58b4930d03d632fe060acdbefe3338ad5fbc0fbc

SHA256
f3b5aa58ad2faa1aee75dfc89b78112c85ef81991c2dadf0692a01e1d875415f

SHA512
6065df2a2b289377c2c37aa39cae4c8826b03340f5028c0136f61d8d043d0670b0295674066d4bb8641316431e4d1bcc45ac2855d2c7383bebc7d85bb4dd32b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0edc34e4d122e2900554625f8be69af

SHA1
0f03fd5e2fb47252f01616bac1c34907671fb0ca

SHA256
e65c5a4806a3edcb78299b8fd371f405c6d3242b2ae8b31c6ab2e506a8d47e45

SHA512
92e56b08ffaa200363b89a445349e3a202aeaf60af9a08e5f14d6b3bbcb0ca7f7a0e06f78a3ba324b3a438d15e125c105dbfafe1eb9d3b40310f74c239670653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9b7bb2abe46958b4627825c30de2a41

SHA1
bc70c2bf2e9948c31d3a251eab4fc4274db782bd

SHA256
afd9f57c2c71413be453d3156b0d61bfbacbe9257829257961bd5f95c532b400

SHA512
2afa877ff38524f53903982d92fb6f74d38ff05a1d31b149886faad1b16301567615a633dfc8d9b8c9d78bccb40d22170ebc0ec6070253c1e2da0b3351b7f4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f4752d10bb078d1aed035c234d127d9

SHA1
775082f9302f3589ba0e3ae50ef0ad94f842a97b

SHA256
7a43fec979ecb61f79ca8b0a6159afa0cc14ec48f0defa1a35b8a153cc0623da

SHA512
dba9a312318d2ca758407a5f7a529c5a7f91ecd00ff8bfef0497620a083e697937e4243c704151b5c35a48bb03e582c3de8e1923f5de79234a5163f844c79bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23162835de26f78d28230ccca292f068

SHA1
7bc5f3820680d2755606be3d07a101692ae54726

SHA256
7598e6143a97005ec254c2b025920f4c46d0d2898b9a94885701c548807485d8

SHA512
a17e3a9ad4e74f1be192c08db0d80974ff732d1b6b35d859ee4208cbefd2e3a5ca525c2c49c2d95274af77e2be89e2b8a2312c13e44617e8fbd75e241c99be86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de62903f43e6340063e493c21c372e8e

SHA1
2626ddcbeaa7cca0581e693e6afd10b082bdb168

SHA256
35a7841342074761590f7d685120912c85079a97daadfa977bf941ae3a9e14a1

SHA512
97007adad416e21f1d5d1e4c94febe5ae5a80b2f37cba8c334b247855173dd2d4c286e0770fcb54179582094b334761815b50791f485a4eb2b16c666110735a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac17a7ebdc0cdd4681df2b3ace76eb80

SHA1
c69b8fa3faa7c263e5a465abd0c7ba038fcabbf8

SHA256
b15cdcc853456045284ae6509e120508f8b2fa4a5d2fd7b5946b89986030fab0

SHA512
ec029610800d64bc1b1417eded40753537cac035ca364e85e5a49d132782027dd7b91150c83cb510627ecaeeb6e8979d5fe8a09caab1bcf7f0b1245e143e5e9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91a72fa3a4d4b652e130ba5b735dada3

SHA1
145cd7c6282957c936eda6355c4d19ffe125853d

SHA256
65880e56af05487a37d548193ba5f0bd0ae79c797e9e610221f5ea3e5bdb12f0

SHA512
85f5fbe1b6c2070fe0427e9a61f5b67901b8f2b8e612fe05875943ab32f9d74e6e34d65d6f821efb24cb14279e721e94454d40095de0b81ff4f5c7b79ccb4840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d63d0c389d541b449474e9598a502764

SHA1
0b2fc974649b0a020809e3cce353322fffb700fa

SHA256
a8a31cbf2958838823f6244077849019262fefa5a54868bd43767968cc8d465a

SHA512
3f5f2b501932f00cd85558d6699e5be8a763c3677ac71f8c6c2e2eec35a03fe76df048d4625789febfccc6073eb51bf558b54d88778541cbc9f93cfe6cb943f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19e883c952b5406807327b3abca39ca2

SHA1
eb2fe72dc1838c10f504e0c32691797481e52eff

SHA256
d70255124b84b00c996fbfdacf49f2d76d88f9cd9500711a72a45ef786118073

SHA512
7296ff6280e2d2b411701beea9ff38877457b6d18f59bd1ce324d354b112895510a76aa5e9744beae08fdaa4b40ba48df3a581502479c95541f817aa9da5ae23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9508889b2f6647e32a4c5fa2d18df52

SHA1
bf4bd189a1247302bfc94e838b48eced8a8f4e4f

SHA256
d210f9b94f3f4c7aba52dfaa868bc0f94d3fb684fef6ad76798f3dfc4478f2dd

SHA512
8154b30d11b97c9573c873498c4a4815e4218a7675b9d2489c6e42931ab9b6f8486cf422fa6262cd2753c1b3cbc47f703119fbed5026fdbf8d0a709616f4360b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3419d17ae1ef6ddd7c876e5b40e7cc25

SHA1
591f4376cfd63d1a7fe065f69a4517aa9c807448

SHA256
4ded0d282b457804968999b712db6bb46249ed1d07649e2e311c832b70456cc3

SHA512
3b9c51d861b152b25e868f1dc7a75147eae4ce25274d2503ed16f3fa69daf3e71fb9ddd1f63971c40ab4bf29b5449e60c629ad11ee4c7c577bec07bd913602f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
812a86e791f00c0a2b3612ff3127ffc6

SHA1
8680bb97072af3b09ab55705b1f3547519f40bda

SHA256
ecdadc218114925c0c4d87a983f76417f6de46b637743445ce263fe09d157797

SHA512
4cdf68496f098d78a7405bfc901aa72199c8eab21754e9b571e526b36cdec163839abbe2d7a4778a15ef0818140e48bec93af47a59ec95c72ed8261b049c17c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00d1215a1c2281668b5f35042772d3c6

SHA1
e59811a0762ad6c8a52c81c2dca623b81adcecf8

SHA256
a161dfc2c591eef58ec73e7a90c14cd28808b771964de7d3dfae59636de826fa

SHA512
424868a11aec96ae33ac538cda0ac096e3cc8b3c08044170ee10d19a450aec6d7c33adc3a2002385315d40ca22f04e681ffd762c167409b41adb4776d14c6ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36E503B1-A90F-11EE-975F-42DF7B237CB2}.dat

Filesize
5KB

MD5
b9a962fa86093d4b9cffb7ec8ac3d553

SHA1
378cd0e2f572a59c365daf0f0a4e37a72af4dd03

SHA256
fa945ff747f27871862724255a97e80a7024ae3c4843f51fc2b1ab1c57546b67

SHA512
c21e63a9a20dc5cd64883adc3fabac8ad8c7104c16c986a35d1179e4e52c060ddfd191e12da3b6397eae753a2df8ae42efb164c9d2053f8ebaebd0ca04f148ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CDAD511-A90F-11EE-975F-42DF7B237CB2}.dat

Filesize
4KB

MD5
b5c78e6529317bf7fc810e0c558a6057

SHA1
136547ad78d427316abe41bd1548657b53696081

SHA256
f09b860d8130ccdaf84af3cc24997bc7dcf9f58d73fd4c54aff528026462147a

SHA512
ea3bcdfc50022688ebcbbe2c481074ac08fb58dad8b8d0cccc2db429de6d72b7a59b4874c336de7455ace8cbdb6d64b6e50226abe951110352d5bc3054a970f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2tj7qpw\imagestore.dat

Filesize
1KB

MD5
90f9bcd27710b7bf66509c5b9f4d8d25

SHA1
859687582e7908dd2524fb4c1d60dcad48e1edaf

SHA256
90e5494a7ca07f5e6bb71d67ea3c11bfac6e0f0196ca86c2839c3bba22414452

SHA512
7345e71808c23c71a10d3e5dacda76a6e23cde57d418d32ff27de7a097286e31b3a5b6b62a80ce3ab73ce0de87f6b7ced92844ee0580f40bb132a39f3087e367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\favicon[1].ico

Filesize
1KB

MD5
7ef1f0a0093460fe46bb691578c07c95

SHA1
2da3ffbbf4737ce4dae9488359de34034d1ebfbd

SHA256
4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

SHA512
68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

Download Submit
C:\Users\Admin\AppData\Local\Temp\1k3ee.vbs

Filesize
566B

MD5
680521afa77bd640e3b8e8a4bedd2c1d

SHA1
2e6e55aee4d1d9d22d8fbacc91e936e0d126b596

SHA256
8fa568e0a875b89117cf649d3ae491824764953e0ecf351f2e28998a759770c4

SHA512
1c02ed6c6bbd2865f923f036b69d2efc30b547ba98119c41d625fad59d3c3fe8971302cc23c8079772fbb7387472508fbff51f2eb10a7b68889efcfbd139933b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AdK8.vbs

Filesize
565B

MD5
24fe08b93105abd2afbc67f7b5a6671f

SHA1
3a4e0e52645cb6f73075931f6af233599cdaeef5

SHA256
6dc1cb7b6a9ccdbef3f44a9ee3b38941b5facab5063e5f817e609eda4d02037d

SHA512
8093808e1aaf0722e69f81c99ac4d951957d90e1e784c326e1b18380173f10a42c4b1e1388bda9146504810fc90e140570085966fb994b965b57dcb717fe0687

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYWT1.vbs

Filesize
476B

MD5
ec23238217f6b5645af06fc0bf5c237f

SHA1
9bb0f8fd2ab793067ad91ea73937e3e37227a29a

SHA256
5452ae11d8d0e47014ffa8390e29007de69157a21cf5ce772745276390cf4b85

SHA512
458d1f5dea40902c786a6a5da421e2e6f1d17ab661efdb96bfaf8e215ce36c26bbed097896e71c4c3a33dea08439f9180713a675ead2bea96e9cf0aa09439507

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab995.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar994.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgvuC.vbs

Filesize
478B

MD5
7362e8e15c001c6a436833c780bcf190

SHA1
60af3a516c601cbb288450915405cc550ef1e06e

SHA256
a089c00385ec72082e21a9bae6be5b3669ef33ef50ac208c3e44275deb806b56

SHA512
cdd48cab51b0bcf853cb7dde79198e44c0c1cdb18afbf8b0aa231e6ba03a80602e66c818dc778971345f23c0f1c120d03dbec5c1280c9a91ed8004201a8c2477

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bat

Filesize
1KB

MD5
7224ccf9d4354e76d4b5e8b57d5dab17

SHA1
2a910ce03a6b7cfb09c220d85577258cb3ef3a7d

SHA256
76487df756feb13baa1af6c7b09041beb7c80115547796e126a4da2bf867a6df

SHA512
f601bc1148f38a8cbf72cd8e983326a673ffd8c4d69f413abeeba869f29ac7097eb3613cc2303a1c08c4d6fa2a694ac193d416fea41c48316e82c7f51b57e57e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ORPENRW2.txt

Filesize
224B

MD5
323094aed4e6a97174eac1fcbb8a3104

SHA1
42f769acbde4b8a46607568a49dfda862ca5e8c4

SHA256
b7ab5308dcf0dbcfdfdde5c7850989dfbf330c70016c9f74ca05c6b92af31e19

SHA512
01e01c245183a03293976eaf2a4c4bc1bbaae8c0dab97fd570b2b4a8eedb3f04eb1e3252c9723382d532d4b2ba11f94aea33494c5b11525b95b666208e285c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RESY6VFA.txt

Filesize
112B

MD5
2ecb3946f4753ea61b1611abb2121998

SHA1
fbad73e9b03450b7085967dd2a7df3f04ab744ab

SHA256
75f57ddc5e292d40e51c811a503d410b2f459b5c29525a68162ec98fdbf7a460

SHA512
6196ebdc05c485d45ba560fc125e3f69f47464783c340976d05076d47e7435275bf6fdfea0bb9224980cd287055ead8ca17450639ce3ff967b0a88d5036b59e2

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÊÓÆµ.url

Filesize
134B

MD5
f74aa96b9b45c6b94531b192d4926ed8

SHA1
9352c33b863662540afebc3e7570804f1ac8f23d

SHA256
31530927f5f5b0a42111845beeee35fa7d85aea04e3f8b26283b4b5fff01b3f2

SHA512
0665afb5e78385fcbf3def63e09358ac136162ccec3dd7b304f4d428c401ee38a1841d0c0fb691bb7ad0afe72d6958bd63886f4699176f5dbfedb4aa128968c1

Download Submit
C:\Users\Admin\Favorites\ÌÔ±¦¹ºÎï.url

Filesize
135B

MD5
971c6a735a623358b013d44528942707

SHA1
03b058fa21afb28c10b9630bbae040095af8f335

SHA256
fdaf404d55a0d798f3f7a6a70bd023f02ebba07062b79dd50e543a18800be08f

SHA512
373c4cfefa02069d95d28320a9f7d7636b9c779a619a6c3aa77598e959dd0b09fa3f4238dc38c1f1843c09e82457c7d4a58cdfef2bf0cd300c75f501f7286b02

Download Submit
C:\Users\Admin\Favorites\ÐÔ¸ÐÃÀÅ®.url

Filesize
133B

MD5
5a52bb6c53b4839dfa8520a7fe5b53b5

SHA1
c124cd3787130609936d62d988e61067a22bb1d4

SHA256
cd201c825bcbe86a66c2cd500a0cfaca065fdabf753e220012a0cf8c90a4d0ee

SHA512
27812417c5379ba86787ee01130d6c2e85709f33b06dd2b35050b138dd75e76e10428d583274a17b8cf1bcae1fb031c904716318732eccf3b11f529982836710

Download Submit
C:\Users\Admin\Favorites\ÔÚÏßµçÓ°.url

Filesize
189B

MD5
410344edda7f66eed109b512a5c20d9c

SHA1
eb4a4646312a24d13d7bbc49c04c1f74879b199c

SHA256
2743d42f107c734d57ac9922e5d5949254ec3cb512374135d40a0607446afbc4

SHA512
1753e2104c563b377668be35aa1179ceba7ffc7854be9ed3d54e0e4b695cb0a0f3867aeb255e0a96651eb1580ac654db3c61fa7e6242d8b86c192f11b1bb71b1

Download Submit
C:\Users\Admin\Favorites\ÔÚÏßÂþ».url

Filesize
190B

MD5
6e028a15d5121ed2504d69fe97945899

SHA1
b664b2f0d5584382f42322c0daf49c515bd692e2

SHA256
5f4d7cb69f9919ca3bfb5e93f7bf5af8f6b31530d09fd34a9d64be3c70630bf4

SHA512
487daaf3e105012185c6f3f11787dcea31ec299cee6b1aa6f9e0c1e67929ea9d2134d642fc5b981a0918d7b25dff00f2fcb408cde7e1683458e0994fe481e718

Download Submit
C:\Users\Admin\Favorites\ÔÚÏßÐ¡Ëµ.url

Filesize
133B

MD5
9f3fd6ee0c3d7636694f46b3b0860afa

SHA1
ccf26f1b9b6351c9e190cf3466f51aab59579df4

SHA256
82a66de7a7fa48d263b8abaab4a18ea475af46866d7fd1be94420cedfe8fce3c

SHA512
43703e62e5ee2f625b2966dba02b51950bf31e1911ac2aa9cc6eab4c9a486546bb4867183ce13e6d10ace20d604dbb56ba506715f2d9271770f8a733a32fa4df

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
8e548949474b0e339fcad7ad5d871eb9

SHA1
4995ef75e66123411fb712501571a63eb437477c

SHA256
77eca012a12321578465ffc569fe763a6ad72e67dda4a0183839a412c85825d6

SHA512
dd7e7bbdbd943ab01491b4fcabbc197486f601676bd7d730c39e6e0e1d096d1e93957e44eba211e8a952422728865005d74e3d1589d6310ae0f9a3015e67c906

Download Submit
C:\progra~1\kingsoft\kswebshield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\progra~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
\??\c:\users\admin\appdata\local\temp\url.cab

Filesize
6KB

MD5
40a36b16aae0dc11743ffbbccb38a564

SHA1
e174112532afe76c6a3d4577742a1727b3abe397

SHA256
b5b7d6add712d4185cb10d299065ca48d6ccb5bfe79b024a170d2bc6869138e8

SHA512
b038f3449af3abfe56560068b86c4f634e8feafcab2bf655718ce8f34cd87b20bf3caa843860e6572f74f601a704f8dcbde714aaca9153feca92b31353b9951f

Download Submit
\PROGRA~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
memory/2428-88-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-75-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-155-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-154-0x0000000003360000-0x00000000033D0000-memory.dmp

Filesize
448KB

Download
memory/2428-119-0x0000000003360000-0x00000000033D0000-memory.dmp

Filesize
448KB

Download
memory/2428-649-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-566-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-303-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-0-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-650-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-64-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-1080-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-1081-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-1082-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-1083-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-1084-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2428-648-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2980-106-0x0000000000270000-0x00000000002E0000-memory.dmp

Filesize
448KB

Download