Malware Analysis Report

2024-12-07 02:00

Sample ID 241111-vem26asapp
Target 4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd
SHA256 4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd
Tags
bootkit discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd

Threat Level: Likely malicious

The file 4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence privilege_escalation

Drops file in Drivers directory

Server Software Component: Terminal Services DLL

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: LoadsDriver

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 16:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 16:54

Reported

2024-11-11 16:57

Platform

win7-20240903-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\KuaiZipDrive.sys C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
File opened for modification C:\Windows\system32\drivers\KuaiZipDrive.sys C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\¿ìѹ\X86\KZReport.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\¿ìѹ\KzNew.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\DiskOpt.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KuaiZip.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZModule.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\MountCore.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZReport.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\Uninst.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\Mount.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KuaiZipDrive.sys C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZMount2.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\7z.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZModule.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\Mount.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ErrorMsg.xml C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\SetupHelper.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ali\jp.png C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ali\kzshop.ico C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\readme.txt C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\7zNew.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\DuiLib.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZFormat.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\MountCore.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\finderlib.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\SLDefault.xml C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\data\slimdata.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\skin\disopt.skn C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\__-________.URL C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZTui.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\7z.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\lang\Chs_Lang.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZFormat.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZipShell.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ZipNew.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\SetupHelper.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\Update.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\UpdateChecker.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\lang\Chs_Lang.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\sfx\kzSetup_chs.sfx C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\¿ìѹ\X86\KZReport.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.053\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.089 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\HardLinkShlExt\ = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.095\ = "KuaiZip.095" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.044\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.065\ = "KuaiZip.065" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.PropertyExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.098\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wim\ = "KuaiZip.wim" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.z\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.002\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.044\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.097\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.KzShlobj\ = "KzShlobj Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.023\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.037 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.067\shell C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.ContextMenuExt.1\CLSID\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.nrg C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.mdf\shell\open\command C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.020 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.7z C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.008\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.081\ = "快压 081 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.wim C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.002 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.021\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.090\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.061 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.037\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.043\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.047\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.056\ = "KuaiZip.056" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.KzShlobj.1\ = "KzShlobj Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.cab\ = "快压 CAB 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.cab\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.075\ = "KuaiZip.075" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.098\ = "快压 098 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.bz2\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.024\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.053\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.070\DefaultIcon C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.021 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.039\DefaultIcon C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.070\ = "KuaiZip.070" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.097\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.081\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.013\ = "快压 013 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.032 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.071 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.081\DefaultIcon C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.002\ = "KuaiZip.002" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.089\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.gz\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.009\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.016\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.zip\shellex C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.093\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.mou\shell C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.027\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.035\ = "快压 035 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.093\ = "KuaiZip.093" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\¿ìѹ\X86\KZReport.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 2976 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KuaiZip.exe
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KuaiZip.exe
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KuaiZip.exe
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KuaiZip.exe
PID 2976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1624 wrote to memory of 2044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 2044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 2044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 2044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 2044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 2044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 2044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2976 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KZReport.exe
PID 2976 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KZReport.exe
PID 2976 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KZReport.exe
PID 2976 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KZReport.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe

"C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc

C:\Program Files\¿ìѹ\X64\KZMount2.exe

"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -InstallDriver

C:\Program Files\¿ìѹ\X64\KZMount2.exe

"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -AssocAll

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"

C:\Program Files\¿ìѹ\X86\KuaiZip.exe

"C:\Program Files\¿ìѹ\X86\KuaiZip.exe" -AssociateAll

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" "C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s

C:\Windows\system32\regsvr32.exe

"C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s

C:\Program Files\¿ìѹ\X86\KZReport.exe

"C:\Program Files\¿ìѹ\X86\KZReport.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 i.kpzip.com udp
CN 14.205.47.252:80 i.kpzip.com tcp
CN 122.190.64.38:80 i.kpzip.com tcp
CN 112.84.131.63:80 i.kpzip.com tcp
CN 110.249.196.56:80 i.kpzip.com tcp
CN 113.201.158.118:80 i.kpzip.com tcp
CN 60.220.179.199:80 i.kpzip.com tcp
CN 116.162.169.61:80 i.kpzip.com tcp

Files

C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll

MD5 57dcb435d455facabcbb943df4439211
SHA1 6cbf59c6a0dd83427104d1d2b02308e23f3bac71
SHA256 c115c445731dfc9ac86e03fc46385149abd6da6fdb086092bc711d77c579cd86
SHA512 b0334b37dce72f24ab825e376fbec1702476b86978898fe8b1c70d0280781d0353b565b9e2a479bc28a452038a5d49a93cf11b1e81a23870bcfea95ad327782b

\Program Files\¿ìѹ\X86\KuaiZip.exe

MD5 23209cd2c9fb9b1b506cf04732a2fdc9
SHA1 dcf81ccb7b0ba1ff26bc19ab57b7d1d776acc064
SHA256 ccf82a791c6a32ab05622b29fc4fe27199a76b6e923e5f9e0ea14e1dcedf3b61
SHA512 be8f302345259e8ea81d4d02d1e73d6c6127fd574ca604d425a04b63bc8c6be22e7e492f118c43dc791c440b3ec153161dba0117ceaeed2de67618ede9a0eaae

\Program Files\¿ìѹ\X64\KZMount2.exe

MD5 6092e931993ce98e90bd9a8ba5e0f81d
SHA1 9f6e2cfee88a965ac9c621244ae4e743179926bb
SHA256 0a4005988099b5958842aa8b064f8ea63a62d6b3ce8cf474df810b229768d2aa
SHA512 a317e1afc8c9144481ef2322019a798c32d3aaa54521c3084816cc2fbe6283b7b1f9c2d53ddd66247499e0ad9efbc6d424f4561a45c5462e656356ae040d2876

\Program Files\¿ìѹ\X64\lang\Chs_Lang.dll

MD5 f4b0f5f11f6c45f9f35683daaf1dc154
SHA1 66a5a9f11eb488687abd9098bf972b5f140b79ad
SHA256 d9f93356f1459fa4352529a3984ddacd774bd44ca54e2c7261b4fed569f21037
SHA512 6cfb3c8f496b4798c26edb1806f8f82b661e9163c33f7c87578b4f951fc8d3575f15c9e97dbbe2b4e8b53f32213d9f1e20667f6eb97869cc985deee0ff2f318f

C:\Program Files\¿ìѹ\X64\Mount.dll

MD5 bb749bff8225c1f4fe637ee9b9900605
SHA1 9f0259bb8532188bc58d3e0443e8dbcddb0d11f3
SHA256 f8a5b80bd4df9b8476ad22c8fff874e986582a1045e166e8cee05cb4f5b80416
SHA512 74d53797952032bbe4d75b0bd43b3129031306a8060789f44ed2f6100430f82653e4b99fe9ee783c85bf7d8682e4825d1d45da1cb204cb1add49ed7bd9a5a835

C:\Program Files\¿ìѹ\X64\KuaiZipDrive.sys

MD5 1876e8b3f3a1a8ebb1cb6adce66aa56d
SHA1 34fce38d3ea4551dceecf2784efcaf8baaadd412
SHA256 94384ff5849f6350df1a249260f82c6c8061362588fc1057ee498d72b0a709e1
SHA512 80544ccac70bf2eb67e4cae4914449c464c78a0326885fd975e473375655443f3d7e5d6a905286d9b8ddb5d8f35ca14fec96a196be9eae5e3a443c53db3dbe57

C:\Program Files\¿ìѹ\X86\DuiLib.dll

MD5 a4dfb3886fd564277b972e0eb6a85d37
SHA1 65e7065e87630aec7a51dfef744d9a0ff05a475d
SHA256 b1d2065329687cf7162ca1c303f6418c97b8a9e8914b6c388d834b2318c609be
SHA512 4d81770561bbb95dcba4207bc5f1c94acd7f3defb6d82bf427eff08b7aa4360fd28f754015672c8e34cda81bfbd375b9ed9a4707e3276b9b9664eb17ddcafa4b

C:\Program Files\¿ìѹ\X86\Lang\Chs_Lang.dll

MD5 b97edec9d770cffe2d1ae4c133aeff17
SHA1 2005bf84b016041c66b39d8b4a6a1713388b3e78
SHA256 f076084d2aca4e6f37b80b950b89eee71339e9d0e7d4a2bea638e58f81dcd34d
SHA512 d88c65135fd8f60f8fda581a0c3b1f6eeec50d360793c0ccfe20be9d5d048da88947836bb603a87cadcc0f8b4969b5566285c999471c0e68ee8a047919bd2c8a

C:\Program Files\¿ìѹ\X64\KZipShell.dll

MD5 be4b24bd17c88ef4e5a95461c8c96c41
SHA1 3003617159914a14cec3c7b78fee70c26094025e
SHA256 014790e04d73ac79bdcb5d4d33bb9d687fee4bba33584d524d649b4142f8e4bf
SHA512 c83505bc47563122ef02cc81d07e4e3ef5ac6648a9cdb9907b296378ec21f6c35f438f0269cd92df55150d37169cdd5615f849d30db1bdc41bee8a84f1567b60

\Program Files\¿ìѹ\X86\KZReport.exe

MD5 c615fdd832f80a8ff0cff8e3253a6fe9
SHA1 ca09e99d21e2392e9559a01564c54d0e6f0cfd1b
SHA256 f23c1cfc0e701d0e5c8f2a869b9ab65423e10db7072a0ece5998ae63726f0c35
SHA512 43c82ae37094fdf2d78352fd66890f25730270602b4821e46ac6b44db653fb2b88ea189a4b7922faccd32f536a14726b1db3308316c76d4c9d5e47414acdb6f5

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 16:54

Reported

2024-11-11 16:57

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\KuaiZipDrive.sys C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
File opened for modification C:\Windows\system32\drivers\KuaiZipDrive.sys C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\¿ìѹ\X86\KZReport.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\¿ìѹ\X86\finderlib.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\Mount.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\7zNew.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\data\slimdata.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\__-________.URL C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\DiskOpt.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\DuiLib.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\KzNew.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ZipNew.dat C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZipShell.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZModule.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\skin\disopt.skn C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZMount2.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\Update.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\UpdateChecker.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\7z.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KuaiZipDrive.sys C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\SLDefault.xml C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KuaiZip.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\Uninst.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZFormat.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\KZModule.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\MountCore.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\SetupHelper.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\SetupHelper.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\lang\Chs_Lang.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ali\kzshop.ico C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ErrorMsg.xml C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\readme.txt C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZReport.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZTui.exe C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\KZFormat.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\ali\jp.png C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\Mount.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X86\sfx\kzSetup_chs.sfx C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\7z.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\lang\Chs_Lang.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
File created C:\Program Files\¿ìѹ\X64\MountCore.dll C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\¿ìѹ\X86\KZReport.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.003\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.096 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\InprocServer32\ = "C:\\Program Files\\¿ìѹ\\X64\\KZipShell.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.019 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wim\ = "KuaiZip.wim" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.083 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.ape\DefaultIcon C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "KuaiZip.tbz" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QZipShell.DLL\AppID = "{9CC34070-3A38-4C7A-89CB-EF8177EF07A1}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.013\shell C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.064\DefaultIcon C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.jar\ = "快压 JAR 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.068\DefaultIcon C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.029 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.035\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.mds\shell\open C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.cab\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.010\ = "KuaiZip.010" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.02\shell C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.027\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.isz C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.bin\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X64\\KZMount2.exe -NewDriver \"%1\"" C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.arj\ C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.034\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.019\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.068\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.071\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.DragDropMenu\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.PropertyExt\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\HardLinkShlExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.096\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.vcd\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X64\\KZMount2.exe,0" C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.05\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.066\ = "快压 066 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.052 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.ContextMenuExt\ = "ContextMenuExt Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\TypeLib\ = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.014\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.062\ = "快压 062 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.085\shell C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount_FileAsso.Origin\.mdf\ = "NoAssociate.KuaiZipMount" C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.013\ = "KuaiZip.013" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.096 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gzip\ = "KuaiZip.gzip" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.006\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.060\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.084\ = "快压 084 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.024\ = "KuaiZip.024" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "KuaiZipMount.bin" C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.ContextMenuExt.1\ = "ContextMenuExt Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.DragDropMenu.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.nrg C:\Program Files\¿ìѹ\X64\KZMount2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.rpm\ = "快压 RPM 压缩文件 " C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.053 C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.DragDropMenu.1\CLSID\ = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.09\shell\open C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.021\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.093\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.068\ = "NoAssociate.KZ" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.lzh\shell\open\command C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.042\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.075\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.057\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" C:\Program Files\¿ìѹ\X86\KuaiZip.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\¿ìѹ\X86\KZReport.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 4848 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 4848 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 4848 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X64\KZMount2.exe
PID 4848 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KuaiZip.exe
PID 4848 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KuaiZip.exe
PID 4848 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KuaiZip.exe
PID 4848 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4260 wrote to memory of 4628 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4260 wrote to memory of 4628 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4848 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KZReport.exe
PID 4848 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KZReport.exe
PID 4848 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe C:\Program Files\¿ìѹ\X86\KZReport.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe

"C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc

C:\Program Files\¿ìѹ\X64\KZMount2.exe

"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -InstallDriver

C:\Program Files\¿ìѹ\X64\KZMount2.exe

"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -AssocAll

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"

C:\Program Files\¿ìѹ\X86\KuaiZip.exe

"C:\Program Files\¿ìѹ\X86\KuaiZip.exe" -AssociateAll

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" "C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s

C:\Windows\system32\regsvr32.exe

"C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /tn KuaiZip_Update /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn KuaiZip_Update /tr "C:\PROGRA~1\F85A~1\X86\Update.exe" /sc hourly

C:\Program Files\¿ìѹ\X86\KZReport.exe

"C:\Program Files\¿ìѹ\X86\KZReport.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 i.kpzip.com udp
CN 122.190.64.38:80 i.kpzip.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
CN 116.136.12.227:80 i.kpzip.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
CN 60.220.179.199:80 i.kpzip.com tcp
CN 116.162.169.61:80 i.kpzip.com tcp
CN 60.28.220.184:80 i.kpzip.com tcp
CN 42.236.89.8:80 i.kpzip.com tcp
CN 119.167.229.190:80 i.kpzip.com tcp

Files

C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll

MD5 57dcb435d455facabcbb943df4439211
SHA1 6cbf59c6a0dd83427104d1d2b02308e23f3bac71
SHA256 c115c445731dfc9ac86e03fc46385149abd6da6fdb086092bc711d77c579cd86
SHA512 b0334b37dce72f24ab825e376fbec1702476b86978898fe8b1c70d0280781d0353b565b9e2a479bc28a452038a5d49a93cf11b1e81a23870bcfea95ad327782b

C:\Program Files\¿ìѹ\X86\KuaiZip.exe

MD5 23209cd2c9fb9b1b506cf04732a2fdc9
SHA1 dcf81ccb7b0ba1ff26bc19ab57b7d1d776acc064
SHA256 ccf82a791c6a32ab05622b29fc4fe27199a76b6e923e5f9e0ea14e1dcedf3b61
SHA512 be8f302345259e8ea81d4d02d1e73d6c6127fd574ca604d425a04b63bc8c6be22e7e492f118c43dc791c440b3ec153161dba0117ceaeed2de67618ede9a0eaae

C:\Program Files\¿ìѹ\X64\KZMount2.exe

MD5 6092e931993ce98e90bd9a8ba5e0f81d
SHA1 9f6e2cfee88a965ac9c621244ae4e743179926bb
SHA256 0a4005988099b5958842aa8b064f8ea63a62d6b3ce8cf474df810b229768d2aa
SHA512 a317e1afc8c9144481ef2322019a798c32d3aaa54521c3084816cc2fbe6283b7b1f9c2d53ddd66247499e0ad9efbc6d424f4561a45c5462e656356ae040d2876

C:\Program Files\¿ìѹ\X64\Lang\Chs_Lang.dll

MD5 f4b0f5f11f6c45f9f35683daaf1dc154
SHA1 66a5a9f11eb488687abd9098bf972b5f140b79ad
SHA256 d9f93356f1459fa4352529a3984ddacd774bd44ca54e2c7261b4fed569f21037
SHA512 6cfb3c8f496b4798c26edb1806f8f82b661e9163c33f7c87578b4f951fc8d3575f15c9e97dbbe2b4e8b53f32213d9f1e20667f6eb97869cc985deee0ff2f318f

C:\Program Files\¿ìѹ\X64\Mount.dll

MD5 bb749bff8225c1f4fe637ee9b9900605
SHA1 9f0259bb8532188bc58d3e0443e8dbcddb0d11f3
SHA256 f8a5b80bd4df9b8476ad22c8fff874e986582a1045e166e8cee05cb4f5b80416
SHA512 74d53797952032bbe4d75b0bd43b3129031306a8060789f44ed2f6100430f82653e4b99fe9ee783c85bf7d8682e4825d1d45da1cb204cb1add49ed7bd9a5a835

C:\Program Files\¿ìѹ\X64\KuaiZipDrive.sys

MD5 1876e8b3f3a1a8ebb1cb6adce66aa56d
SHA1 34fce38d3ea4551dceecf2784efcaf8baaadd412
SHA256 94384ff5849f6350df1a249260f82c6c8061362588fc1057ee498d72b0a709e1
SHA512 80544ccac70bf2eb67e4cae4914449c464c78a0326885fd975e473375655443f3d7e5d6a905286d9b8ddb5d8f35ca14fec96a196be9eae5e3a443c53db3dbe57

C:\Program Files\¿ìѹ\X86\DuiLib.dll

MD5 a4dfb3886fd564277b972e0eb6a85d37
SHA1 65e7065e87630aec7a51dfef744d9a0ff05a475d
SHA256 b1d2065329687cf7162ca1c303f6418c97b8a9e8914b6c388d834b2318c609be
SHA512 4d81770561bbb95dcba4207bc5f1c94acd7f3defb6d82bf427eff08b7aa4360fd28f754015672c8e34cda81bfbd375b9ed9a4707e3276b9b9664eb17ddcafa4b

C:\Program Files\¿ìѹ\X64\KZipShell.dll

MD5 be4b24bd17c88ef4e5a95461c8c96c41
SHA1 3003617159914a14cec3c7b78fee70c26094025e
SHA256 014790e04d73ac79bdcb5d4d33bb9d687fee4bba33584d524d649b4142f8e4bf
SHA512 c83505bc47563122ef02cc81d07e4e3ef5ac6648a9cdb9907b296378ec21f6c35f438f0269cd92df55150d37169cdd5615f849d30db1bdc41bee8a84f1567b60

C:\Program Files\¿ìѹ\X86\lang\Chs_Lang.dll

MD5 b97edec9d770cffe2d1ae4c133aeff17
SHA1 2005bf84b016041c66b39d8b4a6a1713388b3e78
SHA256 f076084d2aca4e6f37b80b950b89eee71339e9d0e7d4a2bea638e58f81dcd34d
SHA512 d88c65135fd8f60f8fda581a0c3b1f6eeec50d360793c0ccfe20be9d5d048da88947836bb603a87cadcc0f8b4969b5566285c999471c0e68ee8a047919bd2c8a

C:\Program Files\¿ìѹ\X86\KZReport.exe

MD5 c615fdd832f80a8ff0cff8e3253a6fe9
SHA1 ca09e99d21e2392e9559a01564c54d0e6f0cfd1b
SHA256 f23c1cfc0e701d0e5c8f2a869b9ab65423e10db7072a0ece5998ae63726f0c35
SHA512 43c82ae37094fdf2d78352fd66890f25730270602b4821e46ac6b44db653fb2b88ea189a4b7922faccd32f536a14726b1db3308316c76d4c9d5e47414acdb6f5