dbe205dc5bad1a8598c4b8da25bb4f94dd360b5a6692517d5cdfd70e49fd7191

Analysis

max time kernel
52s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfb42913fe45b6b7989356999d493f4_JaffaCakes118.exe
Size

5.0MB
MD5

0cfb42913fe45b6b7989356999d493f4
SHA1

6c505aca4f01f60d459610e991546d1dceabfd47
SHA256

dbe205dc5bad1a8598c4b8da25bb4f94dd360b5a6692517d5cdfd70e49fd7191
SHA512

dea85606d94968727bd263e0455f542a5ed36a72f89b61cb9fdcfe58a13417b31275c4a95f23fc13b61e833225b9af0739f60e15d27d4fcab1efcb7cd2a50566
SSDEEP

98304:StH8TYdl72SNfN2m0aIRRRCKrrKgg0oC5xf30iUtvHfIaE:StH8OqS+RrCqi8831E

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	kkgame.exe

Executes dropped EXE 13 IoCs

pid	Process
1220	KAS5796.EXE
2240	ksvs_setup.exe
3644	ksvssvc.exe
1616	ksvsext.exe
3220	ksvsupd.exe
1160	diag_repair.exe
2104	ksvssvc.exe
4972	ksvsext.exe
4800	ksvsupd.exe
980	kkrs_setup.exe
4508	kkrs.exe
1212	kkgame.exe
3096	kkrs.exe

Loads dropped DLL 38 IoCs

pid	Process
1220	KAS5796.EXE
1220	KAS5796.EXE
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
3644	ksvssvc.exe
3644	ksvssvc.exe
3644	ksvssvc.exe
3644	ksvssvc.exe
2428	regsvr32.exe
512	regsvr32.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2104	ksvssvc.exe
2104	ksvssvc.exe
2104	ksvssvc.exe
2104	ksvssvc.exe
3140	regsvr32.exe
632	regsvr32.exe
3280	regsvr32.exe
1212	kkgame.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\KKNeedReboot	KAS5796.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KuaiKuaiGame = "\"C:\\Program Files (x86)\\KuaiKuai\\KKGame\\kkgame.exe\" /auto"	KAS5796.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\hardwarecheck\main.html	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\recommend\main.css	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_bbs_hover.png	KAS5796.EXE
File created	C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkproto.dll	kkrs_setup.exe
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\flashplayer\player.js	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\startcover\images\run.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\game_multiple_normal_left.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\flashplayer\images\bar.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\save\savelist.js	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\common\css\images\iknow.png	KAS5796.EXE
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\libexpatw.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\detail\images\btn_comment.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\hall\images\top2.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\manager\images\bar_bg.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\manager\images\cursor_tip.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\common_bg_middle_middle.bmp	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\game_multiple_hover_right.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\led_game_on.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\flashplayer\images\star.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\qipai\main.css	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\recommend\images\status_bg.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\kk_msgbox_no_hover.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\kkpid.kid	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\detail\images\btn.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_nodownload_hover.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\kkgamewizard.exe	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\depins\index.html	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\detail\images\l_bg2.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\save\images\save_btn_login.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_tool_down.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\depins_cancel_hover.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\update.cfg	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\pop\main.css	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\common\css\images\esc_tip_big.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_nodownload_select.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\depins_ignore_normal.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\netest\icon_ask.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\fav\images\fav_fail_bg.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\hall\main.css	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\manager\images\no-item.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\webplayer\images\bg.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_close_normal.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\common_bg_middle_right.bmp	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\game_multiple_select.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\led_game_off.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\hardwarecheck\images\loading.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\homepage\images\icon_kuaikuai.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\localgame\images\no-item.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\common\css\images\esc_tip.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_bbs_down.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_restore_normal.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\detail\images\img_icon.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\localgame\main.html	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\bg_left_top.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\flashplayer\images\bg.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\tab_download_mgr_select.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\uninst.exe	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\manager\main.html	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\search\images\blank.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\utilities\images\star.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\common\css\images\game_tip_top.png	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\common\css\images\icon_default.gif	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\web\common\js\ui.min.js	KAS5796.EXE
File created	C:\Program Files (x86)\KuaiKuai\KKGame\skin\skin1\ver1\btn_size_fullscreen_down.png	KAS5796.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002328f-2.dat	nsis_installer_1
behavioral2/files/0x000600000002328f-2.dat	nsis_installer_2
behavioral2/files/0x0007000000023659-564.dat	nsis_installer_1
behavioral2/files/0x0007000000023659-564.dat	nsis_installer_2
behavioral2/files/0x0007000000023660-713.dat	nsis_installer_1
behavioral2/files/0x0007000000023660-713.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
3488	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}\AppPath = "C:\\Program Files (x86)\\Common Files\\KuaiKuai\\kkrs\\"	kkrs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}\AppName = "kkrs.exe"	kkrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}\AppName = "kkrs.exe"	kkrs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}\AppPath = "C:\\Program Files (x86)\\Common Files\\KuaiKuai\\kkrs\\"	kkrs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\kkrs\WarnOnOpen = "0"	kkrs.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}	kkrs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}	kkrs.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	kkrs.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}	kkrs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}\Policy = "3"	kkrs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C39F123-88C3-429D-BA06-A9AE19547BB0}\Policy = "3"	kkrs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\kkrs	kkrs.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	kkrs.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B814E28F-71FC-4300-A6B1-D246651FB301}\1.0\FLAGS	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BEA8551-8E91-43B8-BC6C-30AE608DE33C}\ProxyStubClsid32\ = "{E3775B0D-480C-49AA-9F5F-340CA4A956D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\NumMethods\ = "5"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C14B05E0-9F64-42EA-894D-C57B72866606}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15A8A5B1-6AF8-4023-9400-C04150A22196}\ = "IKsvsApp"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{718081FD-2A38-43D0-B916-0FA80DA70068}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C46E83F-00AD-48BB-91B0-E317692DF0ED}\NumMethods\ = "4"	ksvssvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}\VersionIndependentProgID	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA9EE27E-E121-4B38-A3C7-654239B4667D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDA0CE98-8C9C-48A2-893D-CB6298BDE67C}\NumMethods\ = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3775B0D-480C-49AA-9F5F-340CA4A956D6}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26A7F9D7-BD6E-492B-B81C-66C5023ED497}	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{32FFD0EA-C0B5-4EA1-917E-D4AD91E3D164}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ksvssvc.EXE\AppID = "{4D67567A-8F87-4F24-A787-56BFC0EDCBA9}"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FB3A327-55F6-4243-B65A-A7865907EC81}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB565187-F591-4960-8CEF-1B149072A353}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D33798A4-B732-4A5C-B26F-E77F48E3C4C0}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B581762-7369-441A-A246-FB0C251B6206}\ProxyStubClsid32\ = "{E3775B0D-480C-49AA-9F5F-340CA4A956D6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\APPID\{2dfb6059-396c-4e5f-a037-c534c6f53db2}	ksvsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD0F55FC-6F49-4AB5-AA6F-35770EBBAE20}\ = "IKsvsPackageOpenCallback2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D33798A4-B732-4A5C-B26F-E77F48E3C4C0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C504EAA7-0B1E-4275-823E-2A0FEBBECF4E}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDA0CE98-8C9C-48A2-893D-CB6298BDE67C}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ksvssvc.KsvsService\CLSID\ = "{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}\LocalServer32	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA9EE27E-E121-4B38-A3C7-654239B4667D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ksvsext.EXE	ksvsext.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3775B0D-480C-49AA-9F5F-340CA4A956D6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\ProxyStubClsid32	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494EC20F-F6F2-40F9-AAB8-C8C1B2DBEDA4}\NumMethods\ = "8"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C46E83F-00AD-48BB-91B0-E317692DF0ED}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BEA8551-8E91-43B8-BC6C-30AE608DE33C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4AFA6E39-974A-4BB0-9567-0AE0638489FF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ksvssvc.EXE	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEFE3A09-7FB7-4396-8CA6-F9322A86B4EE}\ProxyStubClsid32	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}\VersionIndependentProgID\ = "ksvssvc.KsvsService"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494EC20F-F6F2-40F9-AAB8-C8C1B2DBEDA4}\ = "IKsvsPackageIO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD0F55FC-6F49-4AB5-AA6F-35770EBBAE20}\ = "IKsvsPackageOpenCallback2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2dfb6059-396c-4e5f-a037-c534c6f53db2}\LocalService = "KSVSUPD"	ksvsupd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1A0CF6C-81BF-441B-8DD7-463B2EFB8118}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0E6F24E-E9C5-4356-90D2-45A36CDA8862}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C14B05E0-9F64-42EA-894D-C57B72866606}\NumMethods\ = "7"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA9EE27E-E121-4B38-A3C7-654239B4667D}\NumMethods	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E862CC6D-77C8-42A2-B605-6BC302D764CD}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15A8A5B1-6AF8-4023-9400-C04150A22196}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FC8A934-3E8B-42D0-9F0B-38ED47A912A7}\NumMethods	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB565187-F591-4960-8CEF-1B149072A353}\NumMethods	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3775B0D-480C-49AA-9F5F-340CA4A956D6}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\InProcServer32\ThreadingModel = "Both"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3775B0D-480C-49AA-9F5F-340CA4A956D6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\KuaiKuai\\ksvs\\ksvssvc.exe\""	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3775B0D-480C-49AA-9F5F-340CA4A956D6}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A5A1B5B-63D9-45E7-B42B-66C28D9D7188}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{32FFD0EA-C0B5-4EA1-917E-D4AD91E3D164}\ProxyStubClsid32	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEFE3A09-7FB7-4396-8CA6-F9322A86B4EE}\ = "IKsvsPackage"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91D593B0-2162-4400-ABBE-FCF7610B9268}\ProxyStubClsid32	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494EC20F-F6F2-40F9-AAB8-C8C1B2DBEDA4}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E86AF6D-86AF-486E-824A-181CF3BBC392}\1.0\FLAGS	ksvsext.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FC8A934-3E8B-42D0-9F0B-38ED47A912A7}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{718081FD-2A38-43D0-B916-0FA80DA70068}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0E6F24E-E9C5-4356-90D2-45A36CDA8862}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\kkproto.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\NumMethods	ksvssvc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe
2240	ksvs_setup.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1220	4584	0cfb42913fe45b6b7989356999d493f4_JaffaCakes118.exe	80
PID 4584 wrote to memory of 1220	4584	0cfb42913fe45b6b7989356999d493f4_JaffaCakes118.exe	80
PID 4584 wrote to memory of 1220	4584	0cfb42913fe45b6b7989356999d493f4_JaffaCakes118.exe	80
PID 1220 wrote to memory of 2240	1220	KAS5796.EXE	81
PID 1220 wrote to memory of 2240	1220	KAS5796.EXE	81
PID 1220 wrote to memory of 2240	1220	KAS5796.EXE	81
PID 2240 wrote to memory of 2264	2240	ksvs_setup.exe	82
PID 2240 wrote to memory of 2264	2240	ksvs_setup.exe	82
PID 2240 wrote to memory of 2264	2240	ksvs_setup.exe	82
PID 2264 wrote to memory of 2100	2264	net.exe	84
PID 2264 wrote to memory of 2100	2264	net.exe	84
PID 2264 wrote to memory of 2100	2264	net.exe	84
PID 2240 wrote to memory of 3488	2240	ksvs_setup.exe	85
PID 2240 wrote to memory of 3488	2240	ksvs_setup.exe	85
PID 2240 wrote to memory of 3488	2240	ksvs_setup.exe	85
PID 2240 wrote to memory of 3068	2240	ksvs_setup.exe	88
PID 2240 wrote to memory of 3068	2240	ksvs_setup.exe	88
PID 2240 wrote to memory of 3068	2240	ksvs_setup.exe	88
PID 3068 wrote to memory of 2852	3068	net.exe	90
PID 3068 wrote to memory of 2852	3068	net.exe	90
PID 3068 wrote to memory of 2852	3068	net.exe	90
PID 2240 wrote to memory of 3644	2240	ksvs_setup.exe	91
PID 2240 wrote to memory of 3644	2240	ksvs_setup.exe	91
PID 2240 wrote to memory of 3644	2240	ksvs_setup.exe	91
PID 2240 wrote to memory of 2428	2240	ksvs_setup.exe	92
PID 2240 wrote to memory of 2428	2240	ksvs_setup.exe	92
PID 2240 wrote to memory of 2428	2240	ksvs_setup.exe	92
PID 2240 wrote to memory of 1616	2240	ksvs_setup.exe	93
PID 2240 wrote to memory of 1616	2240	ksvs_setup.exe	93
PID 2240 wrote to memory of 1616	2240	ksvs_setup.exe	93
PID 2240 wrote to memory of 512	2240	ksvs_setup.exe	94
PID 2240 wrote to memory of 512	2240	ksvs_setup.exe	94
PID 2240 wrote to memory of 512	2240	ksvs_setup.exe	94
PID 2240 wrote to memory of 3220	2240	ksvs_setup.exe	95
PID 2240 wrote to memory of 3220	2240	ksvs_setup.exe	95
PID 2240 wrote to memory of 3220	2240	ksvs_setup.exe	95
PID 2240 wrote to memory of 1160	2240	ksvs_setup.exe	96
PID 2240 wrote to memory of 1160	2240	ksvs_setup.exe	96
PID 2240 wrote to memory of 1160	2240	ksvs_setup.exe	96
PID 1160 wrote to memory of 3728	1160	diag_repair.exe	98
PID 1160 wrote to memory of 3728	1160	diag_repair.exe	98
PID 1160 wrote to memory of 3728	1160	diag_repair.exe	98
PID 3728 wrote to memory of 2104	3728	cmd.exe	99
PID 3728 wrote to memory of 2104	3728	cmd.exe	99
PID 3728 wrote to memory of 2104	3728	cmd.exe	99
PID 1160 wrote to memory of 1280	1160	diag_repair.exe	100
PID 1160 wrote to memory of 1280	1160	diag_repair.exe	100
PID 1160 wrote to memory of 1280	1160	diag_repair.exe	100
PID 1280 wrote to memory of 4972	1280	cmd.exe	101
PID 1280 wrote to memory of 4972	1280	cmd.exe	101
PID 1280 wrote to memory of 4972	1280	cmd.exe	101
PID 1160 wrote to memory of 5016	1160	diag_repair.exe	102
PID 1160 wrote to memory of 5016	1160	diag_repair.exe	102
PID 1160 wrote to memory of 5016	1160	diag_repair.exe	102
PID 5016 wrote to memory of 3140	5016	cmd.exe	103
PID 5016 wrote to memory of 3140	5016	cmd.exe	103
PID 5016 wrote to memory of 3140	5016	cmd.exe	103
PID 1160 wrote to memory of 1632	1160	diag_repair.exe	104
PID 1160 wrote to memory of 1632	1160	diag_repair.exe	104
PID 1160 wrote to memory of 1632	1160	diag_repair.exe	104
PID 1632 wrote to memory of 632	1632	cmd.exe	105
PID 1632 wrote to memory of 632	1632	cmd.exe	105
PID 1632 wrote to memory of 632	1632	cmd.exe	105
PID 1160 wrote to memory of 964	1160	diag_repair.exe	106

C:\Users\Admin\AppData\Local\Temp\0cfb42913fe45b6b7989356999d493f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cfb42913fe45b6b7989356999d493f4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\KAS5796.EXE
  C:\Users\Admin\AppData\Local\Temp\KAS5796.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Program Files (x86)\KuaiKuai\KKGame\ksvs_setup.exe
    "C:\Program Files (x86)\KuaiKuai\KKGame\ksvs_setup.exe" /S /forcekillservice
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\net.exe
      net stop "KSVSSVC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "KSVSSVC"
        5⤵
        
        PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM ksvssvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3488
  - - C:\Windows\SysWOW64\net.exe
      net stop "KSVSUPD"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "KSVSUPD"
        5⤵
        
        PID:2852
  - - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe
      "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe" /service
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:3644
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvcPS.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2428
  - - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe
      "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe" /RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1616
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsextPS.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:512
  - - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe
      "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe" -install -noconsole
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:3220
  - - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\diag_repair.exe
      "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\diag_repair.exe" /repair /nowait
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ksvssvc.exe /service
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe
        
        ksvssvc.exe /service
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ksvsext.exe /RegServer
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe
        
        ksvsext.exe /RegServer
        6⤵
        Executes dropped EXE
        
        PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c regsvr32 /s ksvssvcPS.dll
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s ksvssvcPS.dll
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c regsvr32 /s ksvsextPS.dll
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s ksvsextPS.dll
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ksvsupd.exe -install -noconsole
        5⤵
        
        PID:964
      - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe
        
        ksvsupd.exe -install -noconsole
        6⤵
        Executes dropped EXE
        
        PID:4800
- - C:\Program Files (x86)\KuaiKuai\KKGame\kkrs_setup.exe
    "C:\Program Files (x86)\KuaiKuai\KKGame\kkrs_setup.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:980
  - - C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkrs.exe
      "C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkrs.exe" /install
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      PID:4508
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkproto.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3280
- - C:\Program Files (x86)\KuaiKuai\KKGame\kkgame.exe
    "C:\Program Files (x86)\KuaiKuai\KKGame\kkgame.exe" /install
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1212
  - - C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkrs.exe
      "C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkrs.exe" /regapp kkgame "C:\Program Files (x86)\KuaiKuai\KKGame\kkgame.exe" 1
      4⤵
      Executes dropped EXE
      PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkproto.dll

Filesize
91KB

MD5
bfbb7d3bce5fdada9b2038c7a834da6c

SHA1
27e3e688e5ce4e90fca2392e69d13a61b11d5045

SHA256
8e11a5f2bd9bbdc465d18a713f40a025c614d40fa5b4fceaad1babae8b71873c

SHA512
f86a4863866334105e745a9648758d2253c62433cc76945019e89bf92166560c2a92b8682c552261e0abbdfa93328044ebda0efed7ec9ee97a62a64cbbd11d21

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\kkrs\kkrs.exe

Filesize
242KB

MD5
8bc30fdd1f81fd54c9139cb0ef0b3525

SHA1
ed0735a3966538e2672b4031cb866cb23c985a66

SHA256
45b2588b427e8d1909070c5595cba9cfca40e480d4195af8e92bf0cef60cda7a

SHA512
c16cd8df953fc1f44feb5d28d657710383cea4306c1cc6c6d1dea602618f2bfc8a2980184e70011588765c17a6e2662fc3f260a34db21cc44968480b95b583cd

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\datasyn_client.exe

Filesize
194KB

MD5
1853e58255dbfa96beceb1f9572f6a9e

SHA1
f10563b9c00f4a897946be82453f762869621f1c

SHA256
a7c573cf97c36f18c99616c3c929e84a7faf2a4b427faddef1be4063b6b7210b

SHA512
145e70fe61ce5092d47469d9f5dfe61bfc183bb8375c81073bb08618c436beb834181e38a7ae463539cd679fd66990fe7708ef334ee017ea5107c6d33ec0ff82

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\dep_ins.exe

Filesize
205KB

MD5
7f0bff06f8e398f93accb049c3e0103e

SHA1
86730728a3808c22571b98bd866661615b2d8e15

SHA256
a45ad348091a46a567ae75e6d583089ccde5c684de6e5948e71532b8bb8b991d

SHA512
bb73b60610b57c5a63069984fa909e71298b2949b615b941a8023c39397865439aebbafbee67708b6c886e3fcb66d2db439dc9ff7dc4e4c8a488a857e56389fb

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\diag_repair.exe

Filesize
84KB

MD5
680f3003200f620b2f6b1f3d25fc5462

SHA1
fec50e26db07057e28015644b6a00a14188d5432

SHA256
48dafd2b11e513aceb19c907d9d80dfac7177aa747af96535adaea9bda45fe64

SHA512
3dcea36d9c8f4019185feca4845e642a226f515aa76b7507e7d417773cfce9893fe18f595a646cd720be110c648b2aa33735a44ba611e458f321eb014d0411cd

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsdlhelper.exe

Filesize
271KB

MD5
4002b05a1465bed764ce77a49aff598e

SHA1
0209a3d98c484f3666090f45e59f6b01a4eefcd4

SHA256
283ac70198556a059a4ce56e5c71ba9b2fd68016fe981593208a42cdce9c547d

SHA512
692fd7f7fed49841558a9d1a818b23cd70b94f0ef18dcf07e34bd00edf409c67c18aa81af5a8a6f530be01d8acb1c9d5b5337b1242d3d4863b8f42c5caec2a10

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe

Filesize
124KB

MD5
a7f7b1aa78c7713eae5df7659a894435

SHA1
cd08705c34daede5b855a4312f8f48e9602a1bc4

SHA256
2e9f634fc8215aa1710250d96255044fe83121ef118bd42eb5109fedaa309bee

SHA512
70ce991f9a04ab6158fd28f7ec6db499e2be2529098fda3dafb3598896dd2f47915111468fc0ae85b2d207a1a479b853085c9422765c4a45afb5c099758f0336

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsextPS.dll

Filesize
51KB

MD5
f14a67498cfa56f45736e8b7767bbb2b

SHA1
fc7e7c17555d031247bc7e4a3ca7b8148486a003

SHA256
22b29f98aac5de68dde0c2681bde3fea483984f003f5646c4e3b7be08b55bf75

SHA512
e72344bb8e5f9a024d035aae0845e3aa23892ec54d38784d85c6a027c083f89ad965b2f7511f7ee9946e820579eaabaa9dcd678de81b572fcc0a45c433c7c2a3

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe

Filesize
934KB

MD5
322fd2c72778cf11ed9c57f47266c2ba

SHA1
d96c5ce91d28e02026a88625966b0e543c92757a

SHA256
cef97820412ab6def14c7a392ab6cb086bc9f54c8b6bb7cfe4c50e17d0f45ecc

SHA512
8333e064c6a939dc613cf84f1dc35c04769916ed067ab29c1d354f6d9383d32ec6239cb6b75ade503d3063a895c15768f4cc824d902598c73a596eb9dc3ae0ad

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvcPS.dll

Filesize
58KB

MD5
f1ddb64087aed985a45482ff7676dc1f

SHA1
69d362e18d692b6534101fac73e423b521972157

SHA256
da12c24f1201c4ede82f28da9afb3aeaf5a9b719adec5bbfadc957ae257592a1

SHA512
73c064e0d9a705e2b984d1eb0d6c0cb2c336b8dce256ea3c389797f9969d6e885689c6948c695ae6a4cb3ed113f27deb92ce3c4776ad3ba68d65cf8ddf9e36b4

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe

Filesize
206KB

MD5
4945082773ff3f9da8dba2ace733907f

SHA1
984c5af46a464364ec889e21353e963ca42fadb8

SHA256
607504cbdc550fffb6dc061e5a2f9066226ee6e4eb9d3b3483b9113388e2077f

SHA512
248832567eac8b145f359ad9ded9c35c3c7cccfebae71587f70505626750698cdaf54a4c9d8ebe4ba1ea3246150790020cd4a6fa3af0e55b308b1341cc6cabea

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\libexpatw.dll

Filesize
148KB

MD5
226e01d42edd35c3c87bc7084b61bc10

SHA1
c640234a4988edc5ce2fc7263b27788b9ed79073

SHA256
fc580ba332907a472f8f89a4bd97d05d8fa9103aca535918f62093a230013bad

SHA512
1bbebf740619b9b8d0e2a50109717a679318bfb1cf7e8cfee1067262ed5034e13f45a49d1b83e16a85ff21ca67804209fc7999bf9d923150f478cf2cfadeadd6

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\simple_logger.dll

Filesize
80KB

MD5
4c7912ce9ba3698dc51de2c2c2f1b4db

SHA1
c1738063819f08d81006de36f4a338edbeeef410

SHA256
e0773000a7deababc47ae88736966bb15532e0c9778763bc6f22ccad029dd2d1

SHA512
eea2855d9d677dace520a188584868272618e9c5559d98588f02ac35d0f47ae7998569809117d0883db057c2b687d6b9d3b1b6d585e61bc1aee8468d8cd259c7

Download Submit
C:\Program Files (x86)\KuaiKuai\KKGame\kkrs_setup.exe

Filesize
228KB

MD5
c74dd495b6fd9d299ff2244f3a8707a9

SHA1
7b08d1002226b204ecb5030cdbba2228ce25151e

SHA256
e20bb543e21aaccfe6ce7058bd53e8ef5dce223eeda4a207e3c944dbb4bf7803

SHA512
6dc878383e3812d6f79dd93fb77ba6111dc4f7bd2da16c6aedcead66b252d80ba91d9bd13ee2b57130c1a3c62c17d70cd5887a8668d6d534f177dbf6a2ac0787

Download Submit
C:\Program Files (x86)\KuaiKuai\KKGame\ksvs_setup.exe

Filesize
1.5MB

MD5
91beca04fcc6d2f29771b4034ca62d65

SHA1
4dc585c72f11cb69d4c4c94780c3e44a95250474

SHA256
2550906025d99d8e7829550d72720b09e122e5288922f5b6d1f2963e3eca5f2f

SHA512
9bb19db69d87c2378347d66367c6178ecda582f130386aece65e3c2147001fdaeecc478fcc905f47bbd41ec8310012f1edb19ac206c80a881e6d88594c3c3631

Download Submit
C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\qipai\images\status_bg.gif

Filesize
856B

MD5
75ed1ce1308e37eb00198cca52d59cc9

SHA1
71d4651e883ca91deb2091493f9d76174034105b

SHA256
771fc2e51acc1008790390bf3dec88fdb40e8ee9a6e6be6cbd57cb0f475d610d

SHA512
19bd089eef7761711274a155f28221232a7cc29f03ebcbdb9bb470890b47b41c725a464ae666bf88daa4b05b422625df8f142b536518093855d0a304a6b8d29d

Download Submit
C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\search\images\editor_title_bg.gif

Filesize
866B

MD5
1c05c821d78432d019222d43eb65981b

SHA1
57eef59d81c2c6d3a77b0c9f4b36469c436d91cc

SHA256
200b55933f25bb409811d1381645dc39e94b167bb13afd6a9f15c8ed23a75708

SHA512
2655d7a365ab8070571bd91344b9911e4f65168fd22e11210d3c2029cc6cdf8564f9e802df217cd9545bd162ca33f6f7598e1031f62593e3aa46176bcd6f257a

Download Submit
C:\Program Files (x86)\KuaiKuai\KKGame\web\apps\startcover\images\star.gif

Filesize
2KB

MD5
98570d94947afcef57808a30f0705ef1

SHA1
7f3ef954d43b3fd24e3b55348c3139bf5ad99a78

SHA256
a947e5fdf871ea16b69072172f5e52f0fb64ef32c3e1f076e90fb597d14c819c

SHA512
fa1f0c9d541941e1e8d4cc45b37f82a9f4c0a3bead12bdf77c70168b2b286a5c76227deeabe92a1ead2e581d9a512d34bb8a3423b4337c9a0592b031825af0ac

Download Submit
C:\Program Files (x86)\KuaiKuai\KKGame\web\common\css\images\lightbox-blank.gif

Filesize
43B

MD5
fc94fb0c3ed8a8f909dbc7630a0987ff

SHA1
56d45f8a17f5078a20af9962c992ca4678450765

SHA256
2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363

SHA512
c87bf81fd70cf6434ca3a6c05ad6e9bd3f1d96f77dddad8d45ee043b126b2cb07a5cf23b4137b9d8462cd8a9adf2b463ab6de2b38c93db72d2d511ca60e3b57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAS5796.EXE

Filesize
5.0MB

MD5
f4619fa896b8a10635810e048a587d3f

SHA1
90fd83d157eaff76818d90d4907d2b01595ebbc7

SHA256
b092a83fa9ef588e3ee765230b8b13430632a6a1099bb1884d2c989568e0c4dd

SHA512
f3b7f0affb7e2adc32567d224fe80d68a0db4f2dfc40842ede6730f0abd2e65e91de5d03304097c4a531a2aaf36538b6067c205bfc79e2f7c091b5d503bd3edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E10.tmp\CheckKsvsSvcDLL.dll

Filesize
80KB

MD5
32f9654b0355069a7dc7f287ccec2cb9

SHA1
73da44871678020e47292c941ee9258c51159635

SHA256
d65aeac5af5afabea81ee5c8804496dee7c0f4458e3469ad3d3d45eec8ee6078

SHA512
3a3dccb502e02f82f77625c3977484e9bdb6755de2e2f632fa6f1016a13fdef49716953c63ebb6ed298965aea18eac7c992f034eaa5165bfe51f1f76dd3a503b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E10.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E10.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
memory/2104-697-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2240-581-0x0000000002F10000-0x0000000002F29000-memory.dmp

Filesize
100KB

Download
memory/3644-670-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download