c2d8a252306ab22043f21d28473e36754b85add10368004ea5260e7123cb0a94

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Size

812KB
MD5

062a52024a60ad55813654ede1bcab9c
SHA1

8eed64f31f62adfdb86c844dfb15d7f4c885085c
SHA256

c2d8a252306ab22043f21d28473e36754b85add10368004ea5260e7123cb0a94
SHA512

e7511ea1b8c435997d25215229b47323b923fd3a53ed881046f69e538f5ab8028378a4ace0df133cf87eb5bf76e8858e625ed32adc425c83d5a29f77c0f982f8
SSDEEP

24576:YgNYvIOvPnjGM6xxJ60mVI/ba0xuVmrkAMlNFunUDR7:YggIWWxxJ6Z47xOskASFSUB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3032	KSWebShield.exe
2888	KSWebShield.exe
1572	KSWebShield.exe
1608	KSWebShield.exe
1304	KSWebShield.exe
2064	KSWebShield.exe

Loads dropped DLL 18 IoCs

pid	Process
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
1572	KSWebShield.exe
1572	KSWebShield.exe
1304	KSWebShield.exe
1304	KSWebShield.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE
560	IEXPLORE.EXE
560	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	KSWebShield.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\progra~1\kingsoft\kwsui.dll	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\progra~1\Maxthon\Config\config.ini	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\ico\Taobao.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\kingsoft\KSWebShield.exe	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\kingsoft\kwssp.dll	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\ico\liaotian.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\kingsoft\KSWebShield.dll	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\ico\Film.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\ico\Video.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\Maxthon2\SharedAccount\Config\Config.ini	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\progra~1\TheWorld 3\TheWorld.ini	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\ico\Beauty.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\ico\meiv.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425049892"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000281c8b538a7d9651369f3907febe47865f75b6015b2903af3ef559453fe98f3a000000000e80000000020000200000002ba38a689d75d786590d8eafe1a61292a431533449a3f8ffd016e263945aee79200000009d79437dc1d6282ee8234128039734e1fcd65488376b51eed0e5ab361760cf3440000000c3ddec3d9d0d6876982d1f07cda34a28597da53b654eeae99d3c0822943c8688ed616c4c4da9fb0dce008b6058bbabc38cce04419bb5501bc94c82dafbb3046e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000077abd1dca0c113317a84883e32fca3362137719174398e783f068f5e1026fae000000000e800000000200002000000018f32e30f774fee5ead32c25b4f0b357ee442bad34bfcb1a6314fa300bd8144890000000f8b4c4cb797c1ac0e668c598c48afa1f46102024542d796e2ad6a0924b205ebd1b376de696af99362380f5354130e5416da8e30e6e5ee1b5c0c98e51f75bcbe006e95763c4a58d9e7290045f4ee7b8ae00b76abb77aa6663fa46fc816911c2493f5c76c814e1a66207c48b0190e59adb51c479dad521920f66c5cfac552a525abd2dbbde51c87e179f717aa11d6e573f40000000fa26acbc075b85d54319bd504aa8aae545d1073db20a4b9d82ab5bbd6a26eb783a157164ed4912b0a7a1e049a957394f7886c309ede438ae22a2e7504ccd7189	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.v258.net = "0"	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{209AE721-2F04-11EF-BB21-6AD47596CE83} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00946beb10c3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-b5-85-d4-91-ef\WpadDecisionTime = 607dabe410c3da01	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30DE2507-6098-4C96-92D5-F92980EA6F42}\WpadNetworkName = "Network 3"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-b5-85-d4-91-ef\WpadDecisionReason = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30DE2507-6098-4C96-92D5-F92980EA6F42}\WpadDecisionReason = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30DE2507-6098-4C96-92D5-F92980EA6F42}\WpadDecision = "0"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30DE2507-6098-4C96-92D5-F92980EA6F42}	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-b5-85-d4-91-ef\WpadDecision = "0"	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	KSWebShield.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30DE2507-6098-4C96-92D5-F92980EA6F42}\WpadDecisionTime = 607dabe410c3da01	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-b5-85-d4-91-ef	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30DE2507-6098-4C96-92D5-F92980EA6F42}\9e-b5-85-d4-91-ef	KSWebShield.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2412	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeDebugPrivilege	3032	KSWebShield.exe
Token: SeDebugPrivilege	2888	KSWebShield.exe
Token: SeDebugPrivilege	1572	KSWebShield.exe
Token: SeDebugPrivilege	1608	KSWebShield.exe
Token: 33	1572	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	1572	KSWebShield.exe
Token: SeDebugPrivilege	2064	KSWebShield.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
484	iexplore.exe
484	iexplore.exe
484	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
1304	KSWebShield.exe
1304	KSWebShield.exe
484	iexplore.exe
484	iexplore.exe
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE
484	iexplore.exe
484	iexplore.exe
560	IEXPLORE.EXE
560	IEXPLORE.EXE
560	IEXPLORE.EXE
560	IEXPLORE.EXE
484	iexplore.exe
484	iexplore.exe
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3032	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	31
PID 2372 wrote to memory of 3032	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	31
PID 2372 wrote to memory of 3032	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	31
PID 2372 wrote to memory of 3032	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2888	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	35
PID 2372 wrote to memory of 2888	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	35
PID 2372 wrote to memory of 2888	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	35
PID 2372 wrote to memory of 2888	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	35
PID 1572 wrote to memory of 1304	1572	KSWebShield.exe	38
PID 1572 wrote to memory of 1304	1572	KSWebShield.exe	38
PID 1572 wrote to memory of 1304	1572	KSWebShield.exe	38
PID 1572 wrote to memory of 1304	1572	KSWebShield.exe	38
PID 2372 wrote to memory of 484	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	41
PID 2372 wrote to memory of 484	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	41
PID 2372 wrote to memory of 484	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	41
PID 2372 wrote to memory of 484	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	41
PID 484 wrote to memory of 2940	484	iexplore.exe	42
PID 484 wrote to memory of 2940	484	iexplore.exe	42
PID 484 wrote to memory of 2940	484	iexplore.exe	42
PID 484 wrote to memory of 2940	484	iexplore.exe	42
PID 2372 wrote to memory of 1976	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	43
PID 2372 wrote to memory of 1976	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	43
PID 2372 wrote to memory of 1976	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	43
PID 2372 wrote to memory of 1976	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	43
PID 1976 wrote to memory of 2412	1976	cmd.exe	45
PID 1976 wrote to memory of 2412	1976	cmd.exe	45
PID 1976 wrote to memory of 2412	1976	cmd.exe	45
PID 1976 wrote to memory of 2412	1976	cmd.exe	45
PID 2372 wrote to memory of 2144	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	46
PID 2372 wrote to memory of 2144	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	46
PID 2372 wrote to memory of 2144	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	46
PID 2372 wrote to memory of 2144	2372	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	46
PID 484 wrote to memory of 560	484	iexplore.exe	47
PID 484 wrote to memory of 560	484	iexplore.exe	47
PID 484 wrote to memory of 560	484	iexplore.exe	47
PID 484 wrote to memory of 560	484	iexplore.exe	47
PID 1976 wrote to memory of 2512	1976	cmd.exe	48
PID 1976 wrote to memory of 2512	1976	cmd.exe	48
PID 1976 wrote to memory of 2512	1976	cmd.exe	48
PID 1976 wrote to memory of 2512	1976	cmd.exe	48
PID 1976 wrote to memory of 2488	1976	cmd.exe	49
PID 1976 wrote to memory of 2488	1976	cmd.exe	49
PID 1976 wrote to memory of 2488	1976	cmd.exe	49
PID 1976 wrote to memory of 2488	1976	cmd.exe	49
PID 1976 wrote to memory of 1248	1976	cmd.exe	50
PID 1976 wrote to memory of 1248	1976	cmd.exe	50
PID 1976 wrote to memory of 1248	1976	cmd.exe	50
PID 1976 wrote to memory of 1248	1976	cmd.exe	50
PID 1976 wrote to memory of 2336	1976	cmd.exe	51
PID 1976 wrote to memory of 2336	1976	cmd.exe	51
PID 1976 wrote to memory of 2336	1976	cmd.exe	51
PID 1976 wrote to memory of 2336	1976	cmd.exe	51
PID 1976 wrote to memory of 2676	1976	cmd.exe	52
PID 1976 wrote to memory of 2676	1976	cmd.exe	52
PID 1976 wrote to memory of 2676	1976	cmd.exe	52
PID 1976 wrote to memory of 2676	1976	cmd.exe	52
PID 1976 wrote to memory of 2472	1976	cmd.exe	53
PID 1976 wrote to memory of 2472	1976	cmd.exe	53
PID 1976 wrote to memory of 2472	1976	cmd.exe	53
PID 1976 wrote to memory of 2472	1976	cmd.exe	53
PID 1976 wrote to memory of 2332	1976	cmd.exe	54
PID 1976 wrote to memory of 2332	1976	cmd.exe	54
PID 1976 wrote to memory of 2332	1976	cmd.exe	54
PID 1976 wrote to memory of 2332	1976	cmd.exe	54

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2580	attrib.exe
1684	attrib.exe
2144	attrib.exe
2964	attrib.exe
2976	attrib.exe
1568	attrib.exe
1588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -start
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.6626.net/?ukt-31
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2940
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:537608 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:560
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:209958 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\lnk.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:f
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:f
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:f
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:f
    3⤵
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:f
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:f
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1684
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2144
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2964
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2976
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1568
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:R
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:R
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:R
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:R
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:R
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:R
    3⤵
    PID:2812
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk-31
  2⤵
  PID:2144
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj-31
  2⤵
  PID:2520

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Desktop
1⤵
- Drops file in Windows directory
PID:2056

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Favorites
1⤵
- Drops file in Windows directory
PID:2388

C:\progra~1\kingsoft\KSWebShield.exe
C:\progra~1\kingsoft\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1304

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -install
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
648B

MD5
7b0140241e4d8d78dd982c2e2932b8ec

SHA1
1b9b96eccad5b8e2daf4de2805f50edc8f0a89bc

SHA256
3df864a31ab98d4f23810a3ed6190ff5f54659440c86b67829e1bd4acd02c91e

SHA512
143fb521e98db2fad15a1d11f8542759020f1af3417cf111c28f52f0d9025ffe232efaf7043f0031137cbb448973d9a6700dfa6f4a85063ecfea52759b06118f

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
202B

MD5
ce03e770fc63a1d5c7ef2f8f397b8d57

SHA1
ab1ceada8f9b2aed9795e213cffe8105e8144e0a

SHA256
929efb1ee8b5b4675766cd39847651b87672b1ff9ff0af5da44c274efa7687ac

SHA512
f8660812cdc631d6225f714f40d79e13cd2aed92f73a8880e151be801baa1450d662bd369e4b78fabd15440b5b07b3ea98fdbd57c921be88d7af8e2d3386d5d3

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
356B

MD5
39df563e5d012fbd8a15b24b3ca45f09

SHA1
0fde0621c09d4fe1e1ed95f4453dfdb9421ffa77

SHA256
38832b4628535334aa4254048fbacb7b53035585bda0185e170dd91f3515b644

SHA512
3934f3f4387c55e124bc776a0de923167bce54d18d47fd6d093a6748c5f65b03bad544b994c5bd65f3a2fc346872b0f28f2e161cf8633b0bd528f38538368d4a

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
748B

MD5
6ba35f38bf07ad25f2caf84ee89905e7

SHA1
406ae3f0b210b1496c704ec013786860f6cf0636

SHA256
cc8821ad50a36aa22610220e21bd5baf717ef64aeb3cf4bb47f223e1bf87868d

SHA512
00c58288992d30b592145bb94a1c72dc5b7c4ec742f4da3edeb8a42b8fba0658259e50fb740b05a2f8ba9b5616569c8aee1d66b6a030f59a88ac3e29b3b5383b

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
550B

MD5
aef3d1fbf3999bdad51c5c20fe1b9258

SHA1
566ec82a207df08634ff0d7ae65a561badd4e9b0

SHA256
6e202e46ec8edb910b471f2c2cf5fc4697880f1886c57b9bbc32d0fc896bff98

SHA512
116564f3c26172e53795ed42d08d79e1b0d2d78097bed85cb1dde8105359d18f981ce973b90369b9b79d43afb0648f2649380cb757104594a4f5c53d78fb1ce1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360safe.lnk

Filesize
1KB

MD5
5a344ba5d25e0d23e2c1608e914c607e

SHA1
f16a98c708f9dd31be45a9ef8f10cb944dffe36f

SHA256
b46436bdb009e6115f9b3ae682a4215269fe9a7ad934b2a97d99a707fa328c1a

SHA512
5ef90c37cc70452d580e683682296c1adaed9550f275b12575c8ed4647594b1ffdadfe535d61538f2e05566f3674e2518b2135fc50f5e662172e4051f5b22dfb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360sdo.lnk

Filesize
1KB

MD5
2f438175699344d90759043f59b2a00c

SHA1
897b2d3e6d9ad6feb0d4dde4cd1cb2273b957aa0

SHA256
550ff177470199642a4e1fb25b6c72f5b1f2365e33a6e510c372b76a8fe6ec43

SHA512
c69a52d0179e2da966f7cd46c778f8637918377443cbd76401de55c1d9f1390cb7bc7129568360331e2eb1befe4ace1974b7a9dff8b190a13df44e1131147aa8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\KSWebShield.lnk

Filesize
1KB

MD5
929b95bfb0dc6dc92f7b53ca9b5e4a11

SHA1
5a6b2af352613442d33949de099d6e3663211175

SHA256
10045135aecfdf546d71e579241612590edc5db6872b1de1a633fe98cf30636e

SHA512
83006902573ccb7810cbb9f52ac176d1f62c8f9d220d14c9aaabf48794ca6b6db57219a76f8988757c5d70de24a05964608b926d571d2fd4f359f017fd2ef940

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\½ðÉ½Íø¶Ü.lnk

Filesize
1KB

MD5
bbac004e4e5250fee53903532329212d

SHA1
a4323933974c8560e9cf5b76d652de94c0cb48dd

SHA256
860557fb8e735632c1ebda5aae6da7a6ce7335a45fcee3b5d342e9c4bc4b76c3

SHA512
7c0e8c0f6c8b49141becb9d5ee678a2ec041db2cc92e882c97c72ec6eb27dbfd47ee002573e1c9b9e5cb35ac8bd3eecff3a1dc460b1d3961764714e7749a5efa

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
57B

MD5
efbeadeb0973e0ce17bf9d525ecef7bc

SHA1
830dafe3f6c474a2d0558fe90d95c7235ef30dcf

SHA256
1475e85dcf53af36c28a334ce5dc4cb1a41ed5d752cf3b72c3d8fec1c000d958

SHA512
fcb46707359e4ee5dc1d982a6d90e355313ce2588b247f9d73223da2cef2c8e46168782de783aeb818e5299b9f5dbebb1d8f365fa0e7654ac049b02e9411f6fa

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
89B

MD5
2b051c865c9a946fd87be6fdb9ed51d7

SHA1
0852f784fb3b0feb29f806f4335ceb8f00706b09

SHA256
2122548202e2ed61d03aea30ff75193b65cb4f8d4b542425a3e7436c74bb03ea

SHA512
4675bc359364ddb3ce26923b0f2a7d7180b7a7d4733231a9e3ee0d576984b206e816c7c30ba20da4933d00924d7e2b84419962803442523860699db592e194cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47e693dc578f21a195dbc6920daf41e5

SHA1
472c5f8755c5e5cbfaed926f974d7482cf3a210a

SHA256
b9d804246301ced370dc420f3100c70a10e20c21eb649e28726f17932ef9ad0b

SHA512
9d7ecb1473dffc4ff1198a65b048e45213c0cb89dc6a80651caef4d769466576440e4494fb7c2567488d9aa359274fc9569e4770ad71cb19270fbf566061e39d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc1412ffc0fbe2c4c3e5fc465269b907

SHA1
5af885418ce49877f5acf96d9461485545d6ace9

SHA256
6ffc4720690ccaa4d075b26f95c965febffb68a53892bd68b8ae6aa760d97274

SHA512
ca51e0bdadbd60141835df108721211671bae1b5d171a2a248be41f231fc4f73e9890e67f95c46a0fbcf7e463afc242d8baade89b1182fc2506b9ea8e6b32f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
178d7db9fb85d24e419bd06938579c13

SHA1
9f1d1326323176636bae0f8c1ad09f86e2e711ee

SHA256
b911af570cea4b971a9bad960dcc2c4e7aee133694ca897d2d5a046ff27e3177

SHA512
ae26f0a07f915924a835d9434c610b5df13741e1262508892fca72dedc4ab5f13192c39c59000c03ae0c9a345a04aede1ed7f3cc5eb5c6bef5bc9a2bc5635d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5e2f8007b042fc12679e0da1f38c941

SHA1
eacf19025334f56960e16ac768a706f2f91cb597

SHA256
762419fc1f833b2468753bc20fb8d31ede5a8d48fced76f970f8e668216001b8

SHA512
7f64a4c3b2980517654b6a05c8dfae7eb2ab29581584c25928e49d2db123d68a161c738ecae098a6c29059c40515ec26ae9a03e18605f9c360c5fb62aacd022a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e04b47e9355d24c0decfb8061bb9fde1

SHA1
7dd80c25730624f4d1e0e68529c27950fddc3164

SHA256
66e4f8060b88e0c670c28e0b403eef79e3d8e83181dbde8407bf1a0ff987e3ad

SHA512
bb777b074533e3f589821906290536217af4f177ca395787ec96c9af160ea12600141bfd7456432672f095e7ee173994cd19cc21f39075f0fe821322c86c4f26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2bd37404a2c441866ca84636ca44fef

SHA1
992189bdee2b12e7766546b072b139dc37f29ce4

SHA256
c13ebfc4bd32ea020d4e14621817d9aa7d0c630edbd32ad5b2acc8036aec5fe5

SHA512
0efdaea7b03d4d499b6ec8ec0f0a5fa09d69470d1c06ce902057f80c0c02011c04f5753cc8bfd36fe4bbca952bc1a176cfa3261decb421fb335b29109c6502c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3beb0e460fd5cc74ea2a245c08df2f89

SHA1
800050134d265efc82e36467312eef832027c9fe

SHA256
c506b55b8748192920e65db420c8011be676e299a32398171b8724f33854c5b9

SHA512
455dcb2c5c8096f66e76cd598ad1c39281cebf89a91dcff30dc19b90dd3c1b055d85d6dcb8431d98f825e8ccb19325ca60f1339de839e8ccdf21b1cfdb2bf0cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d55860393309df8b38a21ed5c6ded35e

SHA1
0849fd8e4a5b43e69bc55b034e0208c1420e746a

SHA256
964be4b2d2a44b1eee28614d690c4ec4ec2e937eba818d547c047410ccfc0290

SHA512
bdc99b0c1bd69518fcd3049de8ee53a274820bfbda493aeece6393c850e7ea4cd7ff018f2d5bc4ffc68bfaed213fc964f7e552d6089b69ab0cdaeb832db1947e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
224f92917148feae1165651d2f9f0c4f

SHA1
35154f33d0327d2bb6bc238c6c276539e5560728

SHA256
e237f51681dd987e485a269eed96fe090939016b7f5d8547fd18cc5cb1650b09

SHA512
77e5d6ae180d1273a4183892e780596f05f269361d93822afd6717700e7fe4dc74879c26e23fa9d30d0715ed829613feb9562a9b28c0a6bc282231faa29c24a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31cc8737ce39f0b185cb83b6dbab977e

SHA1
6d6dcaa894a472d93099bbf613aa5bbbc9402aee

SHA256
52221fbf694ecd92e0ad5a8058e9b3e85b1e68dbef38a4f8a3bdb95b327549c3

SHA512
ae82dc631ed00b860fde36d137690a6a9239f540d33f49c2dd7e349780590851072dd90f38e19ad4e02b6d9bed38e947a33036843165527a875aae7076e5bb39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15249e0f6bbcbbb25ab2f7dbbd9eaf8b

SHA1
4924b7689744ad0e1d66f9f47a0d908cf1ab5173

SHA256
c2a9fc75834e9c53efa140dcbef87f35c55b8d73e49897703593ec2aa4362fe4

SHA512
62dead6791c90e9e1d993869b957ef0bdaec8b0867b1c02d4a5739ec403748a7067ee5fe4a60a227588ee38229ad891fa1c9e53d971c083ccbb5bda020b22e50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2a578fc1685bcc22c3ae6c256759ceb

SHA1
c791a08fcc829eec7b58836db0ed485164c3713b

SHA256
ca63d00bdcfdd34cfe49f6cc13900da34f03eb01ec9faf34bd45b42b0ad9735e

SHA512
6eb739d9b6e8cb2120fa8a6bbd54e276f3cbeb438f9b43c53a411663505ed194c5a951eb1d43eee76152ac254b06c9cbb6dd104c2a8b543bcf3a2df6f5414770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe64710045aa4fdb9382df918f6076e5

SHA1
04b7a8b09adf59465489eb429604c83251cb7003

SHA256
ec2e08d9ff466f49dd296128aa21ba9c73bc1116d8623a281c2004628365a324

SHA512
5cb0f7eb270e67739b6c9a725b3a52970bd4c2d2acf16d4ec850dc9d2c7b1f514395de169be6826a94a70c1f3871b4381d7af0a821416529ab43a02c87230e03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcfd9c6fec2ba4436d652c0ed40b47b1

SHA1
9fde2caadcd29bd646b4e5c44372e8ade6f1f7ae

SHA256
171d850b277c4a3d6e1fc117978d133491d74a6d3f5dea24f92e6e0e16411440

SHA512
4d1d0ab0a3ce0b72800cb3ee69011840a01efd8d418d238fcec9508fa3ca39d6f558b48280d5878d01fc93609c9b647a5b443478e06f0126fbb4ceb5a4c9c1c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a69d20919a0545b640eeee7f1b9b7ad

SHA1
01009b1cd6818abe2dc9f4a084b62d89d1ee7eec

SHA256
a02d09829149ca0e163c406ccfb064652588598718acfa787cb5938a97252c8c

SHA512
1c26e594f766482e494003e00bef5b468906985036cb8c838f821499032fc500b6dc9ad2ce6f780e36bdf2255bbc62276af22fd6118449ee6ee8d87da5d4fc90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7e9234458571458c4ec90e1352a694

SHA1
c98ceba9ab2788ad5d6870e1e34e88296c541970

SHA256
5e7091ffc3b8ed98ac2e6e2d35c9569bdf0798124f23431253ac41d38b155df9

SHA512
53489e41ae924029c2b01eecd74a94f41c9bfd5bffc6d368f6f82f16b382a6a2d9dd4254ec867319c541a1e57c498f67ca2b32c1e53c816d304556c20836f2c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fe0f95d332a8063ee6a22e1380e09b3

SHA1
2e685e78f4aebfe9e11cb3c6f0a0cb5c4f8ca0bc

SHA256
0c33a8cdceff6e9a00893159ab9f1f50fce8fed3f4e812760a31b5985d85040e

SHA512
23298e1d3d5b29ea2477883a1f7cf0ca02d6791d0310070c011d6a9067be638f2df94a41820cc677503f45ee0c975332ae4d2e130eafe170530fb5ed3d541de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729d13ce6ec85a43579c0d3f29f5f8c5

SHA1
f3c6961a76ff25dc2af80f80cf43fe124ec4d0ed

SHA256
70c762ffdc5a22477eaf0a52dda735c571bdc366e93b790efc9460ad05ea3390

SHA512
30926d09aa946e1088536b5b7a6f6772eee1543abbf12000740df5193faa06463b695dfe70907ad8a343bb26096362019f4fca68d61e9e23281e75a17ff10f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78caecfeb6681e01011bef56941b1f63

SHA1
939ab3504a6b5adcb4a5045e2362bbaa523c2945

SHA256
641e9bdcc3dbda092f39096aecb97abcd5d6f1ecc365104ed3c8c652ca0a422e

SHA512
395d6d4e03411f288a62031f3bb3935dc6713f968dbad09dab835dde92ff171db49143ac60761093300c89ce055bc1c92d07550a7968adf225671857e56efe34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ffb47251afb4756db28e8217aac9ef8

SHA1
53deb11302107e50d5775538a10fb6a9ad2554c8

SHA256
2f8c62867156d51f5a8345168478e9ddbcca03a47e2f8ad150c7d708abc49e04

SHA512
8fccf1491238fc64bda6d41112f12d3f65ccf69881cc369759b1e2eb5cf5e4057f5cf2e430cb30594426b4927df00ed77c74bd2fc7299eff0f13c587baf7fae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1662f417d354a3c11a4721ef7705cb2f

SHA1
7301fcd2cb1597d029e33a207c6c439701edecf7

SHA256
45816951937a2e8a637a8c8db19fade65466447c23184eca9407f5eab08a9afc

SHA512
bfbab76081d1207bae9261109356bc529b7abe7420069360cfe142dd69e227b29f03bb6d11db5a51d7c12bd9c5793effaf7f7d5977be4b9e1c222fcc6092a900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6827b003243660e3f0068a063b6952b4

SHA1
24420d2c092204005bdcd14346df36150dcebb9b

SHA256
618295688591604dd9a49d38ba4150cc7f4c3c18343313e90e58a96702d4af16

SHA512
13fdaf2ac423c68ae5595852ff5eb47c9d4fa957122fb682ff040cfb51da678f484db7bfc3fc6656741b331b13613f2782e019ba78d9301437fcc14a9a359cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af3af7adbbb9f7f613b8a05f556f237f

SHA1
80de7f5377f7a7cd082047e0659606c9a7a10a26

SHA256
41911fe938182062a579b19cc6b8cc6eca5e76a45f8715daa7784cf09a335c87

SHA512
5707adde3bb46a73401e01f5f25899365f06ae01141af8545d691582e2f276252e1d236882bbc2f55fcec02066c844b0e2fe633e033787fe3006cbd8beb2343d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
695212a22a0396ea4d38376af85b415d

SHA1
9c3821ff60e834eb1775361fbec6bb44ddab067c

SHA256
058833b54ee5e7e5673c16e5283ae660d2541f3b23f656f6880e883b623433b7

SHA512
0d46b4ad66c5754556d3749ca34003c8cdca7c5e4a9e14be873afd2b3a2902d66aa3fe1ba5432df308bdef93f5a4613bd9e89530240507122ef38cd01702ce97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
644c7c0321ac0c319e5d75dee44c68de

SHA1
f9de9ed30b6537248e1faa5d56a06fa3e79b9c55

SHA256
960e9e5676a31a25c156b4b988860340e93ff226582c51bf4fa618de546d886c

SHA512
b3d66bae18e010e9b1d8a3ac06daed1bc7fd4dce4f8236a7eebe7e6e8417cc7aa271c342ef17018812a52211e513f4090fef006347a0e2cc4bb7c2ea07b0688e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bc6de47ba9160db371959c2f8fbe91f

SHA1
4b3978ebc2846a884a8884e1dcebd54eaab52dee

SHA256
c08d75a37314e6d982ab8ea9583a0fb3714de6c11320afa8e2b238f4736c544c

SHA512
0e257436b53db77e05af4bd29f34cfe57528b4801cfb142a9648a392ca30942182b6d42a4687fb49a1c6facc100d0e17f792220f60412192774b54e1832cd03b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e035de9bdce6db2761a3ff34fb082e2

SHA1
efb3ad0fe88114e759938bd860ef74932de29e5f

SHA256
dd2890965c1babb5d64285da93f13937cd3705873e0d3ac754fca2335e5b8ea4

SHA512
2eaa47c0d5e74b1c8678843b6fb3ec17db7e729fae5f1efe1206af5fcd6705fb0329b78f3c9053deac88d73c69e71abfb24c294bb4884d73e9bb5a4e169443fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc07824b7b5bb3379020813ed72d7edf

SHA1
f239a1d83f24c35ea78c858d8e0499fc421193d1

SHA256
7c3388e0c57271728c8f3392aecd119847e913622b23363901a5f80b155a8b28

SHA512
b845b97d81b623420627e981a12be94b637821b3ff0ce6d75f51f951b06c2a811f08f043bb785e2e1fbac6313d3b26ab7e15c6a9dfce3459b32ac0dbf33af591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7734e052e9c0488bee6cd23480fbb93

SHA1
e1215ce9c34e06e6da84fda7a05b6916ff910ec6

SHA256
10f47b6bb16b3000e20ba07057ee6d06e42ba3b7f396bd991510462c8cfb3dd9

SHA512
ea53efd7d42f88a00726f19df35594e6980a94d74539925c10d857bb7ec9cf076fa846ff457697e862216ad1c09e78a841fb8497ac047085b6596e30a1dd506f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c63d31938bd63da4176b7f7ce1f537c

SHA1
7185e9d3f032b3d1509f38b102ad3b6a35aada0e

SHA256
8055e2ddc44b8b9a6abbd4a3125432a4f34851b2f696db690c2454f6d78592cc

SHA512
62fab607c54a4396f460bfe94ad6e90539952d08c7993d4eded8bc126e0ef7774fff93bea8d0d5731f770e91d15a84b43551e3cdee70a75e5e410be40581d971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebf5fe197cc75a1003df3f3eb5ef2c6f

SHA1
3cee6f527ee36c852fa3824ee132f6198588103a

SHA256
8e9f8696e7381c5c9762ef37e77594499aaa41ac59dde289371186631195b505

SHA512
52219caeb56df48065a8be47b1432a8b8876eb3217004113e292bbb124ba0cf71ec5a99e5407254cf6eb461700e88f0cb4713d2f3db27de1f8154d3498cb2449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3cdab92763b97ef77a605c990cdf9dc

SHA1
d6a9b541eabeb4712658d9ef1d45c7b13cb877d7

SHA256
c9d1ec9c830f0d5bc54ca7697aea774ffd705402de1acec69ea548a6b8ed9980

SHA512
6d8be85c52f92d156881d58983556447959e7792633451d83daf9a64133f6b4f089d56b3908592287d72e273b95697bf39e8ade7106f13b756523a32ee06a591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dea0e58b3c40ec86e369243e70eef28e

SHA1
7efde1349ec9d14abe3060568ef5d5537201f2c6

SHA256
741d3e8a495890eae011b7b9d737f31db8d3835e6fceb4fae6b28d336e30caf3

SHA512
a3c0781a956e693d89009c40568585ce78cc13c87109db9d9383f6a89dd9a8caaa32f52ecc03aacdfebb12a8162f41dc741552f55e2e9610caba26cad6940c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7227.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7375.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bat

Filesize
1KB

MD5
7224ccf9d4354e76d4b5e8b57d5dab17

SHA1
2a910ce03a6b7cfb09c220d85577258cb3ef3a7d

SHA256
76487df756feb13baa1af6c7b09041beb7c80115547796e126a4da2bf867a6df

SHA512
f601bc1148f38a8cbf72cd8e983326a673ffd8c4d69f413abeeba869f29ac7097eb3613cc2303a1c08c4d6fa2a694ac193d416fea41c48316e82c7f51b57e57e

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÊÓÆµ.url

Filesize
134B

MD5
f74aa96b9b45c6b94531b192d4926ed8

SHA1
9352c33b863662540afebc3e7570804f1ac8f23d

SHA256
31530927f5f5b0a42111845beeee35fa7d85aea04e3f8b26283b4b5fff01b3f2

SHA512
0665afb5e78385fcbf3def63e09358ac136162ccec3dd7b304f4d428c401ee38a1841d0c0fb691bb7ad0afe72d6958bd63886f4699176f5dbfedb4aa128968c1

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÊÓÆµÁÄÌì.url

Filesize
138B

MD5
b324dce5693edd4e8df0902d38bff5e2

SHA1
a5cd57f79f309f1bfdc4103fb73f6fc107b691e7

SHA256
554150ee44df6e1676373a951904dbf67aefda2f521184e15fa6b7a5980f94eb

SHA512
7cbe3704a60c0c1002a0f0648fb43ddcdfd44bdb65ebd3f88b8f29fd1f3e61c1ae25cae7d6e6f832773ccc47068d38422a4e8c60b1bd56e495d171c2c24ba71c

Download Submit
C:\Users\Admin\Favorites\ÌÔ±¦¹ºÎï.url

Filesize
135B

MD5
971c6a735a623358b013d44528942707

SHA1
03b058fa21afb28c10b9630bbae040095af8f335

SHA256
fdaf404d55a0d798f3f7a6a70bd023f02ebba07062b79dd50e543a18800be08f

SHA512
373c4cfefa02069d95d28320a9f7d7636b9c779a619a6c3aa77598e959dd0b09fa3f4238dc38c1f1843c09e82457c7d4a58cdfef2bf0cd300c75f501f7286b02

Download Submit
C:\Users\Admin\Favorites\ÐÔ¸ÐÃÀÅ®.url

Filesize
133B

MD5
5a52bb6c53b4839dfa8520a7fe5b53b5

SHA1
c124cd3787130609936d62d988e61067a22bb1d4

SHA256
cd201c825bcbe86a66c2cd500a0cfaca065fdabf753e220012a0cf8c90a4d0ee

SHA512
27812417c5379ba86787ee01130d6c2e85709f33b06dd2b35050b138dd75e76e10428d583274a17b8cf1bcae1fb031c904716318732eccf3b11f529982836710

Download Submit
C:\Users\Admin\Favorites\ÔÚÏßµçÓ°.url

Filesize
189B

MD5
410344edda7f66eed109b512a5c20d9c

SHA1
eb4a4646312a24d13d7bbc49c04c1f74879b199c

SHA256
2743d42f107c734d57ac9922e5d5949254ec3cb512374135d40a0607446afbc4

SHA512
1753e2104c563b377668be35aa1179ceba7ffc7854be9ed3d54e0e4b695cb0a0f3867aeb255e0a96651eb1580ac654db3c61fa7e6242d8b86c192f11b1bb71b1

Download Submit
C:\Users\Admin\Favorites\ÔÚÏßÂþ».url

Filesize
190B

MD5
6e028a15d5121ed2504d69fe97945899

SHA1
b664b2f0d5584382f42322c0daf49c515bd692e2

SHA256
5f4d7cb69f9919ca3bfb5e93f7bf5af8f6b31530d09fd34a9d64be3c70630bf4

SHA512
487daaf3e105012185c6f3f11787dcea31ec299cee6b1aa6f9e0c1e67929ea9d2134d642fc5b981a0918d7b25dff00f2fcb408cde7e1683458e0994fe481e718

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
2f243795bd830f2c12cb17bbf5bdda6c

SHA1
8046089ea9c41181d5ed7abbeb3709cafcfb9674

SHA256
fb4224673bc472dc9566a36497bb1a462ca3a831dd273ae16418d833ad992412

SHA512
22912fc2ebb597ca3f657055a36acd4eab50af3581176f1973f87b1a82b010d6d03dee35a4fcd1faef68c28283a0d4816bd69a0c05a3ace2456ecc3c3b763c5e

Download Submit
C:\progra~1\kingsoft\kswebshield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\progra~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\??\c:\users\admin\appdata\local\temp\url.cab

Filesize
6KB

MD5
a850198c5a2a745131584d535fd8b1f1

SHA1
cc9e4398441b0960c8af687bc2c590ac2020f1f2

SHA256
3bb4f7b8125ee3adf9e8dcbe705335e54f09402367d174d466e1ae0249c95d09

SHA512
4680dd5c181d29bbbbce98c740d13bcc935b6d0aa603789936dae9c1df4e70bf5e8db7f246522505c9f85bd67caddec0047a88b8b52d3213c7ebe66c460ac4e1

Download Submit
\PROGRA~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
memory/1304-106-0x00000000004B0000-0x0000000000520000-memory.dmp

Filesize
448KB

Download
memory/2372-582-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2372-2-0x0000000000400000-0x0000000000780000-memory.dmp

Filesize
3.5MB

Download
memory/2372-137-0x0000000000400000-0x0000000000780000-memory.dmp

Filesize
3.5MB

Download
memory/2372-113-0x0000000003D10000-0x0000000003D80000-memory.dmp

Filesize
448KB

Download
memory/2372-0-0x0000000000400000-0x0000000000780000-memory.dmp

Filesize
3.5MB

Download
memory/2372-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download