Malware Analysis Report

2024-12-07 13:45

Sample ID 241118-lqpwfsyngm
Target XiuXiu_aam-X64.msi.vir
SHA256 34b150091d625d345d47c908841b2570455388c910e78e1403313fce2e5f2ae3
Tags
gh0strat purplefox bootkit discovery evasion execution persistence privilege_escalation rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34b150091d625d345d47c908841b2570455388c910e78e1403313fce2e5f2ae3

Threat Level: Known bad

The file XiuXiu_aam-X64.msi.vir was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox bootkit discovery evasion execution persistence privilege_escalation rat rootkit trojan

Modifies firewall policy service

Gh0st RAT payload

Purplefox family

PurpleFox

Detect PurpleFox Rootkit

Gh0strat

Gh0strat family

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Downloads MZ/PE file

Drops file in System32 directory

Loads dropped DLL

Drops file in Program Files directory

Checks installed software on the system

Drops file in Windows directory

Executes dropped EXE

Event Triggered Execution: Installer Packages

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Runs ping.exe

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 09:44

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 09:44

Reported

2024-11-18 09:48

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XiuXiu_aam-X64.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Meitu\KanKan\KanKan.exe = "C:\\Program Files (x86)\\Meitu\\KanKan\\KanKan.exe:*:Enabled:KanKan" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\Y: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\S: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\Q: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\R: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\J: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\P: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\V: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\W: C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KWMInNtjSDED.exe.log C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_meirong_cc_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_vertical_contrast_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Pintu\Moban\Biankuang\003.ptbj C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Shipin\Feizhuliu\mtsc10346.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Shipin\Zhuangshi\Zhijia\mtsc11752.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_main_picinformation_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_fore_help.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\skin_vertical_normal.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_smallrotate1.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_opendlg_closetip_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_frame_leftviewmiddle.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Web\Welcome\images\bg_nav_tag.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\control\tbut_bg_hover.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_member_ok_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_fore_membergou.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_maximize_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_main_undo_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\xiuxiu\Effects\mtxx_LifeSketch_wenli2.jpg C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_left_full_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_openeffect.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_ad_tipico.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_meirong_xchyq_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\xiuxiu\Effects\mtxx_jj_002.jpg C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\SimplifiedChinese\DLGMATERIAL.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\xiuxiu\Effects\hefeng2.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Moban\Wenzi\Kuaile\mtsc10189.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\toolbar\adressright_disable.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_pfmb_part_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\skin_img_serialnuber.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_main_undo_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_zazhibj.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Shipin\Feizhuliu\mtsc11684.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_startcrop_simple.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\toolbar\qq.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_right_tab_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_fore_clockwise.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_general_blue2_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_newdlg_middleleft.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\PlugIns\KanKanPDF\Skin\Default\toolbar\search_hover.png C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_new_general_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_tabdlg_middleleft.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\SimplifiedChinese\DLGLEFTCLOTH.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\SimplifiedChinese\DLGXIAOCHUHYQ.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_newsinalarge.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\toolbar\spinner-.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_cropdlg_lefttab1_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_gengeral_blue_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_fore_bjxh.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_menu_load_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_moremenue_ytww_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_fengjingbj.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_moremenue_jgqt_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\PlugIns\KanKanPDF\Skin\Default\toolbar\sepline.png C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\skin_after_simple.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\SimplifiedChinese\DLGJGPT.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\SimplifiedChinese\DLGCROPSTYLESELECT.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\SucaiLiveUpdate.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\toolbar\spinner+.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_popupdlg_middleright.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\SimplifiedChinese\DLGPINTUSELECT.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Shipin\Zhuangshi\Qita\mtsc11556.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_tab_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_general_load_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_head_discuz.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{32C62B88-98A4-41F2-9AE4-EA6692256AE5} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57dd71.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\wan.ico C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Windows\uninstall.ico C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Windows\Installer\e57dd6f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57dd6f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDF06.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\XiuXiu.ico C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\KanKan.exe = "1" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND\KanKan.exe = "1" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\KanKan.exe = "1" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.GIF\ = "KK.GIF" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PNM\shell\open\ = "美图看看" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.ARW\ = "KK.RAW" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JP2\shell\ = "open" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.BMP\shell\open\command C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.CR2 C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.ICO C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\ÃÀͼ¿´¿´\URLInfoAbout = "http://www.meitu.com" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPC\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\KanKan\\ImgFmt.dll,-111" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.KDC\ = "KK.RAW" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.BMP\ = "Kankan BMP 图像" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.MNG\shell\open C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.NEF\ = "KK.RAW" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.CRW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Meitu C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.TGA C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.PGM\ = "KK.PNM" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JBG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\KKInfoGather C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\MeiTu\KanKan C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kks\ProgID = "KK.skin" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.ICO\ = "KK.ICO" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.TGA\shell\open\command\ = "\"C:\\Program Files (x86)\\Meitu\\KanKan\\KanKan.exe\" \"%1\"" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.RAS\shell\open\ = "美图看看" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\ÃÀͼ¿´¿´\Publisher = "Meitu, Inc." C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPEG\shell\使用美图秀秀编辑和美化 C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.JPG\ = "KK.JPEG" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.GIF\shell\open\command C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.WMF\shell\open\command C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JP2\shell\open\command C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.SRF\ = "KK.RAW" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.RAS\shell\open\command\ = "\"C:\\Program Files (x86)\\Meitu\\KanKan\\KanKan.exe\" \"%1\"" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPEG\shell\使用美图秀秀编辑和美化\command\ = "\"C:\\Program Files (x86)\\Meitu\\XiuXiu\\XiuXiu.exe\" %1" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Meitu\xiuxiu\message C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.BMP\shell\ = "open" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.JPEG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PCX\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\KanKan\\ImgFmt.dll,-107" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.WMF\shell C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.WBM\shell C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.GIF\shell\open\ = "美图看看" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JP2\shell C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PGX\shell\open C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Meitu\KanKan\SetupTime = "20241118094700" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kks C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.WBM\shell\ = "open" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.WMF C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.RAS C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.PPM\ = "KK.PNM" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.BMP\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\KanKan\\ImgFmt.dll,-100" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.BMP\shell\使用美图秀秀编辑和美化 C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.ICO C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.TIF C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.RAS\ = "Kankan RAS 图像" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mtbk\ = "MTBK" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtqp\Shell\open\command C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.JPC C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kdc\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtqp\Shell C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kks C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wmf\OpenWithProgids\KK.WMF C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30DD42DB-7282-42E9-B42A-4987347E1168}\InprocServer32\ = "C:\\Program Files (x86)\\Meitu\\XiuXiu\\XiuXiu.dll" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RW2\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.psd\OpenWithProgids\KK.PSD C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nlf2\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\XiuXiu\\Images\\Icons\\mtnlf2_16X16.ico,0" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\OpenWithProgids\KK.PNG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.TIFF\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JNG\OpenWithProgids\KK.MNG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.raw\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.NEF\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rw2\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mtbk C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf\Shell C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtqp\DefaultIcon C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\使用美图秀秀编辑和美化 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KK.skin C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mtww\ = "MTWW" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PGM\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dng\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cr2\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.TGA\OpenWithProgids\KK.TGA C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PCX C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dcr\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88B26C234A892F14A94EAE662952A65E\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtbk\Shell\open\command C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kks\ = "KK.skin" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GIF\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.J2K\OpenWithProgids\KK.JP2 C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PPM C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RAW\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtst\DefaultIcon C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cnwe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf3\DefaultIcon C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\neoframe\Shell\open\command C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.emf\OpenWithProgids\KK.WMF C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.SKA\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.SKA\OpenWithProgids\KK.SKA C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cnwe\Shell\open\command\ = "\"C:\\Program Files (x86)\\Meitu\\XiuXiu\\XiuXiu.exe\" \"%1\"" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mtww\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\XiuXiu\\Images\\Icons\\mtww_16x16.ico,0" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtww\Shell C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JFI\OpenWithProgids\KK.JPEG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithProgids\KK.GIF C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mtdt\ = "MTDT" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\使用美图秀秀编辑和美化\command C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JPC\OpenWithProgids\KK.JPC C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.JBG\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88B26C234A892F14A94EAE662952A65E\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88B26C234A892F14A94EAE662952A65E\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtww\Shell\open C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mtqp\Shell\open\command\ = "\"C:\\Program Files (x86)\\Meitu\\XiuXiu\\XiuXiu.exe\" \"%1\"" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MNG\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mtpt C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf2 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ptx\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cnwe\Shell\open C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\使用美图秀秀编辑和美化\command\ = "\"C:\\Program Files (x86)\\Meitu\\XiuXiu\\XiuXiu.exe\" %1" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\使用美图秀秀编辑和美化\command C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\shell\使用美图秀秀编辑和美化 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: 35 N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: 35 N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 4604 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3992 wrote to memory of 4604 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3992 wrote to memory of 3076 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3992 wrote to memory of 3076 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3076 wrote to memory of 2176 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 2176 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 1168 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 3076 wrote to memory of 1168 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1168 wrote to memory of 452 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 1168 wrote to memory of 452 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 1168 wrote to memory of 452 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 1168 wrote to memory of 4388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1168 wrote to memory of 4388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1168 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 1168 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 1168 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 3076 wrote to memory of 5012 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 3076 wrote to memory of 5012 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 3076 wrote to memory of 5012 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 3076 wrote to memory of 2784 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 3076 wrote to memory of 2784 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 3076 wrote to memory of 2784 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 4468 wrote to memory of 2652 N/A C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 4468 wrote to memory of 2652 N/A C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 4468 wrote to memory of 2652 N/A C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2652 wrote to memory of 852 N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2652 wrote to memory of 852 N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2652 wrote to memory of 852 N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2784 wrote to memory of 468 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 2784 wrote to memory of 468 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 2784 wrote to memory of 468 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 468 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 468 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 468 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 468 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 468 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 468 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 2132 wrote to memory of 3208 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 2132 wrote to memory of 3208 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 2132 wrote to memory of 3208 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 4448 wrote to memory of 2440 N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe
PID 4448 wrote to memory of 2440 N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe
PID 4448 wrote to memory of 2440 N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe
PID 2784 wrote to memory of 3936 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe
PID 2784 wrote to memory of 3936 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe
PID 2784 wrote to memory of 3936 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XiuXiu_aam-X64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 973FCD589FFD68C30AC1D18211BACC48 E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DeliverZealousOrganizer','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\ZwBOUOWNBGvtCMZycNirmuYkVxRBKO" -o"C:\Program Files\DeliverZealousOrganizer\" -p"997173P:Vt]7}%8!6a+u" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\TmqervRMoMJhXYcsvItByQcGNQmuHu" -x!1_jyPHAcnkRKeV.exe -x!sss -x!1_AHsWmFUtsdcfXwklmBBALPyTMxykDh.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\DeliverZealousOrganizer\" -p"5651233n+24@Dcz?!m_F" -y

C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe

"C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\ZwBOUOWNBGvtCMZycNirmuYkVxRBKO" -o"C:\Program Files\DeliverZealousOrganizer\" -p"997173P:Vt]7}%8!6a+u" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe

"C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\TmqervRMoMJhXYcsvItByQcGNQmuHu" -x!1_jyPHAcnkRKeV.exe -x!sss -x!1_AHsWmFUtsdcfXwklmBBALPyTMxykDh.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\DeliverZealousOrganizer\" -p"5651233n+24@Dcz?!m_F" -y

C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe

"C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe" -number 192 -file file3 -mode mode3

C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe

"C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.vbs"

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe

"C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe" install

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe

"C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe" start

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe

"C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe"

C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe

"C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe" -number 207 -file file3 -mode mode3

C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe

"C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe" -number 62 -file file3 -mode mode3

C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe

C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe /S /K /D=C:\Program Files (x86)\Meitu\

C:\Program Files (x86)\Meitu\KanKan\KanKan.exe

"C:\Program Files (x86)\Meitu\KanKan\KanKan.exe" -Install

C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe

"C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe" "http://kankan.dl.meitu.com/update/KanKanPDF_Setup.exe|SW_HIDE|C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\pdf_dl_head.bmp|ÃÀͼ¿´¿´PDFÔĶÁÆ÷|KanKanPDF_Setup"

C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe

"C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe" <software>MTKK</software><style>0</style><wparam></wparam>

C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe

"C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe"

C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe

"C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
HK 47.238.74.160:10200 tcp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 160.74.238.47.in-addr.arpa udp
US 8.8.8.8:53 qweae.top udp
US 148.178.21.107:29230 qweae.top tcp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29230 qweaq.shop tcp
US 8.8.8.8:53 data.meitu.com udp
US 8.8.8.8:53 kankan.dl.meitu.com udp
GB 38.175.44.15:80 kankan.dl.meitu.com tcp
CN 183.57.36.11:80 data.meitu.com tcp
US 8.8.8.8:53 15.44.175.38.in-addr.arpa udp
US 148.178.21.107:29230 qweaq.shop tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 148.178.21.107:29230 qweaq.shop tcp
CN 183.57.36.11:80 data.meitu.com tcp
US 8.8.8.8:53 sucai.meitu.com udp
US 8.8.8.8:53 xiuxiu.dl.meitu.com udp
GB 38.175.44.19:80 xiuxiu.dl.meitu.com tcp
US 8.8.8.8:53 19.44.175.38.in-addr.arpa udp
CN 183.57.36.11:80 data.meitu.com tcp
US 148.178.21.107:29230 qweaq.shop tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{870d39af-fdb1-4e3c-83b3-f3534220c9af}_OnDiskSnapshotProp

MD5 0cdd5c52fb45fd30a5aa42af91d1d68b
SHA1 034ede0fb0420fb9562f367e768e1ddd30001aac
SHA256 a0a00af980ff135cce423d5e8e5561c91e37ca27d8799061b6855b5b8f7d1525
SHA512 5624c071afc243bf467b19be187545d148e9693de22a985c1ce06afa7a43feaa7df5da1de152d2d522f8b0080c1650f1349f3f64a9e88c412ad1e8fc76bf9d82

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 1d5e671942e74b4e352884fb8fb01119
SHA1 db70d528068f7dac8f2dcd45de462a0ab1b2afd9
SHA256 a02f7dbd68c5d624ec090e9b64b5e86250cdcb252bd7f8d693b634f93b22f419
SHA512 a8829fe4caf38fcdb923db6dc4ac8ceb5235132a7e197e67f83f4c52976b7df2e8cb48ba0ed301a5f4a45dcceec1d755fe053135e402863de141e8f869f21bf3

memory/2176-24-0x0000023874130000-0x0000023874152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lr0rheed.pdg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DeliverZealousOrganizer\ZwBOUOWNBGvtCMZycNirmuYkVxRBKO

MD5 a7d3a5214caecf57327e4f269a5f061f
SHA1 874f231cf6a23687103e23b1c06e403861e8bbf0
SHA256 d54ce43a2eeb1e803ab53acb17490bc019fd5e05f6d26140ed5d9af8069061f0
SHA512 7a154f8224ac15fa6dd577e6ee813941483f9d8cb0b9256cf36ebd79412d5294a4af4d55c7cff265f8180a2e205c3d346f6ac50ba248c26dc87c3e006f607840

C:\Program Files\DeliverZealousOrganizer\TmqervRMoMJhXYcsvItByQcGNQmuHu

MD5 ed74094421da665fbfd4412225e69346
SHA1 e2f83ce3bb85e6af4629fb2c9513355c9f73e0be
SHA256 55d85c66b199f11061c55d2979bb0cfdba9f0cb664512acc11ee44151303624b
SHA512 5680aabcdb7f120726d83ba870366f5b101404609953c6238c85f302cc980f4e4ee4f7c4c5d82051bb39714f8d36d8ac2c0dc19d5055276d573a370aaa210cdf

C:\Program Files\DeliverZealousOrganizer\2_jyPHAcnkRKeV.exe

MD5 1dbac51bdc31b8cfabad114632c79387
SHA1 5b12034a85babb663e77aecd4f9281cbf9eda8b5
SHA256 afe4508718d079d7f304107ebd44499fd203f4efafa1ac47180021a39602ad28
SHA512 6ed9d5e50c2b59ab4c1305d02f258dbdf219484743d7e6efb475ca1d2dc2ed8e5bd92f0e3c6e268a06cb40f1030b842761066fcf45a6da4a253905a4028f6ea3

C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe

MD5 d991a77e68513af69324a17c89ef9ec6
SHA1 87d998be8110f12988825daa8fc4e1bd72d4b175
SHA256 e90176f57687096d8605b93770c7f622cb28b96da12e9d837ba7ef4b8b6e419f
SHA512 e909003232a6395f2198d9d401cb8c39cda2837a9d9dd535a0bccc5759f5d49e037041f5814298644c4a742ea2661483868a17fc48ca9c33513a06d6b3757081

C:\Config.Msi\e57dd70.rbs

MD5 8d4f64b6f5345342100fda5e7c4afe42
SHA1 30e1b9c267d3d3bc802e1b8a7de8ca1eabeee860
SHA256 74c2cb64a6276624598a72d685b91f80fba079eae87760051f826ed76759e79d
SHA512 773e0b1e7bf1d6643692185caff8ad07daeacfa99eecaeb4155a3b3c442439e295dd180b014bd4a2f6bdb5028b5dffb57d8fb06c187b0074c5712b20798785c8

C:\Windows\Installer\e57dd6f.msi

MD5 4bb380192889a55fb6c183f8053bedd1
SHA1 1016f0c66c398e28416a457d63f5e066edd7bffb
SHA256 34b150091d625d345d47c908841b2570455388c910e78e1403313fce2e5f2ae3
SHA512 00358460e128f3713a1c0ba7d9581bc7592c7bcb42de1d3201bed67a02884a0e31e7a7a672fa85a105736ddd6f4d6033bed85bc56699c1c96f5a1a018805ccb8

memory/5012-69-0x0000000029F80000-0x0000000029FAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.vbs

MD5 a59c41d0e65ea790b9a5327cbebd4567
SHA1 92c6a7bc13409bea25c8ea9fcfca69775ff78d0d
SHA256 9224b098439055440ec916e56d6afdbc04ee4b4e0f228b4589a2ed94e7b829f9
SHA512 e77e73a559b6b36a9deb87a8750ac16b691cfdf0450ef88fe9a9d4976bf675a31ec9ce6e0d76d8b457fac3dc4ccf5cbd6b31361367970fcb8a47f20beb252f04

memory/1004-80-0x00000000002C0000-0x0000000000396000-memory.dmp

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.xml

MD5 7531f4da86d6401eff689b9631bca4f2
SHA1 24ae5355ca6ea0f639a4830bdfd611343a49d993
SHA256 f0c35372e4032c68272723fbce67999afece2e956c5a03fbf24dbcefcdcf3d52
SHA512 6ff0b925176b2999d77df8e272e05e7a52f69124384a34d8e89e72dee32ba78d692f73c5cc86e433d8f6661cce41d836f4e5a50e71091f3a3525ce432bb17f13

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\meituWel.ini

MD5 c7921f656f14a81c092d94070232b1a7
SHA1 cd7ce64ec97a7b52f08f3e7093dba23fdb328db4
SHA256 936ed0a8ebd5e4bc89176b7a1bbce6a8b00e68ba2c2e78263b6b14a521d488b5
SHA512 ed143441f429ff2ad1d996b2f3eed14f1169f9d032dbbf89234420275d1195a77c15dd85e86bae9e3ef85d5e8a36a3055c46e055d6a09fdf96d95fd30fa05824

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\InstallOptions.dll

MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
SHA512 13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KWMInNtjSDED.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.wrapper.log

MD5 76b0af346c86751a074b6581c9c26531
SHA1 08b19d3cde110ca75d56cc05e87221f093fc3ecb
SHA256 888166afcaf13f10b0959e08a6d43644f93191a9a521569c10e0836af84de80f
SHA512 c6cceeb610b71b55a38ecf55e6d58ca3ec3ed7433a8b3c46c2bb9057d0f1afabc86a09cd2ad3d384d812e75ae716ca5cdd23074a06769ef62a679cdf679851a8

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.wrapper.log

MD5 d660afe834abfbf81dac41b255ffde26
SHA1 8cca09ce9544b065a59837c05bbbf89c0c96038b
SHA256 6133b30c05e60622e58767dc4dbfbe81a72cc2d7b300c1727f8695d0462eb5e6
SHA512 87c4c5f34e33daf6475118d1d2fb3a328a3026259daea4abf707d9fd6b47f4bb3d6289b75657c22a0a4069b6963257dd2e97dbfecb4b514e0d05b2955008c1f7

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.wrapper.log

MD5 9d0009749177c528490ce09d3a1cac5d
SHA1 9a102e8e756161500d3f33b1c887e917014b2c13
SHA256 71f8055192c29f190966a4eafc87d36a3a8049f0fc85b5a50bebf0f73ab7d6b0
SHA512 bb709b777fd58b5da0bc393564b091a435c0e7208ca163e219a5f20eb8c6508fa26df3023abe79f42340676ca781325b5708bca64f71524482bb2a04967489ec

C:\Program Files\DeliverZealousOrganizer\KWMInNtjSDED.wrapper.log

MD5 f7861fd4f8b40855e6fcb09cbd76df14
SHA1 90868d6fdcc06babf9bdc7b51b94d2fa8799adf3
SHA256 b3a8586bf46fe8f4a3f98c6ef5383c168e952d001de9f505b2be4909cc18a3af
SHA512 12a747eb70ffe87b42a68b60e485722aa6ae9ea6a057e755f0b04a4bf5d5e4fd359aaf688a3867b9f693e420096cb403f322e36f993bb5c4c1c4ef2cc9b35d36

memory/852-155-0x0000000029D50000-0x0000000029D9D000-memory.dmp

memory/852-156-0x000000002B980000-0x000000002BB3D000-memory.dmp

memory/852-158-0x000000002B980000-0x000000002BB3D000-memory.dmp

memory/852-159-0x000000002B980000-0x000000002BB3D000-memory.dmp

memory/852-160-0x000000002B980000-0x000000002BB3D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\progress_2.bmp

MD5 77e9a33a1b46088dc9d71bb6b574a2a4
SHA1 8b8dabf1445dd2ae0af77001d7e5810424eed4d7
SHA256 dab5c9ab81a165868685202bebf4e1ead49609c1718f53b60a920331aa60b943
SHA512 3234b163dadb25f084801db876600201897dc3d6bd9ebd215151207cdd9a215f8cc97d30111cdd9a3e4a38de484f29c6a78612e16e34758cbf327972c69a3811

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\meituWel.ini

MD5 5acfc13326c6b6911606165b893d85eb
SHA1 3a85745bbd5a98e674cfd16d339c7fd1af89acc2
SHA256 71c132ec3cbddc48f66c29d35d09c7aab04d8fb0f5264efc9cd509b2f92a47b6
SHA512 d977e48f61a35a7d90913753288c43acf0935c18f2256afc65e3ed0466d2790938f870bbe967d44f586777bdc09f078fa75605b11855b04e38c0c92fc07050f3

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\kankan.bmp

MD5 bf210693f4171feca4820e4aebd230d7
SHA1 0ea9d95d11af97d8f7c41785199ee4bc425d325d
SHA256 3aad2c9a7ad0ef81b24215274c2d3839b31f331acf2990e3092cc482a3eeb05a
SHA512 8c72e77e07c5e212c3a4c622442db18b7719dfd739be1e01d74e9bd5260473b70ed947fb96f91f3a67af032ecebe69bbd7289c9677e063bae733271c6fc42b5d

C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe

MD5 b242ab102d9eac948bb306f387fa2700
SHA1 198c188181a090857380182f7aa0518a5bf1e882
SHA256 9bc6d92cf648a975676dc385c9361b91ad18841b4b5b68b1dfd260f4bdf5c10c
SHA512 ef2d3a3de128f783958b3aa39436d85ce6e928ca84cc32413044c547398a708d20eb29d458bb5d3373e6a06a88d186028f095dbaf41f6769f42fe8885b82fc72

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\AnimGif.dll

MD5 63f11d04d07615bd610c857d0abdbed5
SHA1 fee63014806f8250c3e301a219fc43ef4b3a8f19
SHA256 a1fa2e0191f986824f5fc0ef62aee8b4b25695cc56d4b00fecdc1c92f8ea237f
SHA512 211f3689df9c219507072f71e9795e74cf9dd3a37f32330d8b7cb5cf335b9aec6f874df2e5fabf90e7f3e4d61655f7674d1ca94cd7d7ec4244a153019c334e23

C:\Users\Admin\AppData\Local\Temp\nst9A96.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Program Files (x86)\Meitu\XiuXiu\Images\Icons\mtpt_16x16.ico

MD5 4cf2515afe0c0e391704ab2be82cfae4
SHA1 4e09f5fd32791a54a66962803975f451b9b86da3
SHA256 2975919f27904a5eb73a8eea404793b78a14ced350697b631264f57e5d7faae6
SHA512 ba7dab36991cb2cf4194bcf7ebb6b92b3d792505c082d16aea78ca83aa2466fd652c183334e65f32ad57e0e5c4c5a74b70aaed253e6d280a12f325460cebbb2c

C:\Users\Admin\AppData\Local\Temp\nst9A96.tmp\Processes.dll

MD5 2cfba79d485cf441c646dd40d82490fc
SHA1 83e51ac1115a50986ed456bd18729653018b9619
SHA256 86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512 cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

memory/468-722-0x00000000021A0000-0x00000000021AD000-memory.dmp

C:\Program Files (x86)\Meitu\KanKan\uninst.exe

MD5 2fdcb8f9b185553997f125330de2e045
SHA1 6e885aa2014efc2de0382719c9fea335389d78cd
SHA256 90de46b752e5bae7e963f09ca6045750dea062625ae87f7d40b7650382f25833
SHA512 da9d1b050a4598bcb2dee71161fb38174e860cb42676ad87d1881610fc13490ceba922420b197c0ef5e09e1fda2d517c5866c23818fac59d23867c2a2ed89479

C:\Program Files (x86)\Meitu\KanKan\KanKan.exe

MD5 527c5a0b0021723d888c2f4138256f45
SHA1 344d12acba1b81ed23d034e576c063439ac2192d
SHA256 b577edc7b1d338c0ed4488996c2d7af18f52aba9b06b33178ae7dbc7c19b7e7b
SHA512 0754c93e5e84a7e792cbacc19074072a810d7b6f3c35c5c629cf3c34f1cd57ca0a3ab022b502e8d64d79f1a49688263d00a3fcbd13f5740430741d19f133a9be

C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe

MD5 f2f3acecc11522414e9364b29d9a9fea
SHA1 968ebc7a3d47050f1f47d97b5ef85c8410d60a3a
SHA256 0335953a89eadae5faa4ef5257d3ea25d396d780f113868c28996f2c6636caa6
SHA512 37dea69b21399954855a727c5049b252bbcc7fcb4a8b8d417606987d91f75b5ccf3beaa90a0113b488ffad061e2f303e623f5c477cf398b000629098f584c10c

C:\Program Files (x86)\Meitu\KanKan\LibImage19.dll

MD5 07723f56376edadc4eaefc6180779144
SHA1 9be4aca6e6615d6db82b5d624cac4cb16dbf0b68
SHA256 f9fe7f1007b0a074b3b38764dd56ca670cf4f3185991691e58a68fe6bcf444d9
SHA512 53542fc068b57b085f042d3581747315020bb4ed30d40af575c85c02749fb812de2e7d966aecb96d051cf7e4547609049f08cb10bd52d0fcdb2af80911f5092b

C:\Program Files (x86)\Meitu\KanKan\MeituUDUI.dll

MD5 8e553252581158a85b2bb0c1b6bc0d3d
SHA1 193998d5662811fe6da7835d79b3ba339d147708
SHA256 40e2535f7e8ee656ea3c0bc88a1853086f152835c5e8f5dc05cd06843bc83f03
SHA512 181964959cc0bf0a4cbe4560441bd0dcca7ff38d31d02a69969b842f91256661cfe8d6941d444b3773395f89a89708b7b3ba8df40681c35dd7f8e30b2c238672

C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\pdf_dl_head.bmp

MD5 b9ec1bdc76fac4960a34438143612b58
SHA1 9413dec247a4785e44851b068728cb156f5676a7
SHA256 2956f7246572ad58a9a15424d1111911c1c67aae881f28e646b472b456833e24
SHA512 c49ea1e95aeebd8daf178565aad530c823be773dd315dddb3d4e6c62cbf078f5042d76918e683299a9c3da3cb7621733bbc3d4cc4ad24a63ca6b5d33040e69c9

C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe

MD5 bfeb11a7f3d06750f3fb8e63ee20d2b1
SHA1 130c9f07bc35cddcc5b2512da8fb57beee4ea4c2
SHA256 e506ffc471babad45008a9a84c67742e2df1de86d1f04685a002f3124a18cb4f
SHA512 deb46cd2fd04bf3b3fdc4237216372ce1eaa7fc1608fd1a6ef041e385ef67163efa8c9cfe9f9f39261b6c69b04a1bb5641c93608c19261e78df025e44d25a2ea

C:\Users\Admin\AppData\Roaming\Meitu\KanKan\Config\config.ini

MD5 b43c4c2e11798abda63c545867143b5a
SHA1 961d08437b20ce70dc5761d6db3297bc4e4b1ecd
SHA256 caa83a408faf76cd137b8ab12f9cdf2ad13b1eca26f6f0944a9ec9aeff830b0e
SHA512 24c8faf9139ddc59cc59800dba50a2f3514b7d06f3652141b95836e3c11b8a692d1d7283ef93f3d253aa718e25ccaa8a98cea6ade39f60d18a19dab48ebda641

C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe

MD5 324d3657d098174c35079c5c615725f5
SHA1 b36ab315a59d1489b3a7f8caac75a8baa818f023
SHA256 6a7645e8e1dd98f8d11fde9e46499260012535fe1175fd723da7c4790332096e
SHA512 00dd41c61511c990edfaff34ea992411a6aa54bbcbfd91b5837df3510658d32a0756929ad441846033a5ed004adc405f8ce9b803ace1ce05bd067982fe8e41e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ÃÀͼ\ÃÀͼ¿´¿´\ÃÀͼ¿´¿´PDFÔĶÁÆ÷.lnk

MD5 65795162b2e31af847b435d23f312682
SHA1 f1178cb7ef6374c0caa98acd24d7095e4f9fd064
SHA256 ee2264e9f3e1b0cff3d5223c7df3f5491d5283468a4648e9a93b697f27923b98
SHA512 1246dbfa7c17e70cc9441f776c2a5abed0c52c2851ea69ede08f79f1a8d1417719c52e5099e6dcf280b64dfbe2f42522331fdd57769057bceb59c4a3c251f720

C:\Program Files (x86)\Meitu\KanKan\PlugIns\KanKanPDF\KanKanPDF.exe

MD5 778c69b5d6bd84ad731861496e8b976a
SHA1 4a4d6f67ad6b92f62f7e396651933225cc4ea428
SHA256 d6456fdc1f879ffd5d951c6ab11cba47d4b6c7836dd2fc1c0e6b4a3c301ad344
SHA512 fa310b4248d62a4a06bea92e120051f810782a7ebe7b4cc42c89986258e7f8d46ca3dd72c1df02e799879573c0389fe28f5ad7011af44bfad3d569059847f870

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_color_all_a.png

MD5 2b305b852a5fb2b7560ec67a57e317dc
SHA1 da0d8c347482b0e3680c695226955445e1ddbd80
SHA256 0748cbd259ddd788e0b441d9389f5c5b5ba32f7ba48ee1d4ca9bc2972cf06d55
SHA512 c6f01beba5da5a53b766f25033c3aa138ee5bfbcaad4cc771595c16949bd5b3f6e14f7a22bce1c996d84ce49b8fda3e187fb8ffb08a37d5106514cfb4232a832

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_restart_b.png

MD5 665f931a7b46ef178e5e7aa0cc0a012f
SHA1 99570a989d750810757326f8a5207fac0abe44de
SHA256 d926eab773d19b7e7ea592f2b824053591242977d7a6aeda1492ff4dfa7caf45
SHA512 6d0d38c84249321cd72f10cb9c1aa7c1b0af2052c257da211a5117ae98ea4fdcb79893f7e0d0b42c7fbb9b708a86806aa372b022c1167dc15e15e9b4d66bb7d5

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_tab_b.png

MD5 84a28feb8e909643d4a85bd9b5e2b46c
SHA1 108770da9ddefbc253b5bf794d3af75dd048eb78
SHA256 25dd1aae0fdf32ec30d4734e47715b2c9ad03fd3e5bc75f94e4d5f640a027831
SHA512 8ee9ba0a86e7f85e104d9c384d164df018eb97f64e9fd8f4dc90e2f930384928cc7dc9658a461b0b9e5e26a505394ea3bfce8b48e9030ad23e85075daa11cc57

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_main_cut_b.png

MD5 015d3be58a08142679edd14943dce460
SHA1 1c0bcf40b02a043c8d1744e1507424086345982a
SHA256 df54fddf4cded398c109cf6a6050dcbafe55f50876f4f27160cb6bd016f13cbb
SHA512 d2377da0d057f5f90cb78381fe90cb174bfa29d3d7a778bc3bac561912dd1a30c5885397f4bb081aeb3d5d24a5490ac30ddfc222dcf94e83b1a43d1dba147b08

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_main_information_b.png

MD5 d3d94c7695e3970489be29065a71385a
SHA1 da67f4149e6be2263bc861fe40b3209dec22582f
SHA256 dd11dda8950c17975b44433d38e27fbfdafe5dca27eb5f43404927dc0d3f2483
SHA512 c19eb576393f27c7b7c2b1dab1c5e64496ff849ea104b4562d6e95265e4f26acf7338acac840df760a1b9a9cb9298a556f4246a07cd34a01ae5b5a556c2c9879

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_tabmid_flow_c .png

MD5 0f2618b430d0a6c665fce738d34d3d1e
SHA1 a3737dbb2d222be90820eb7eed3d352c3c750a4f
SHA256 66dff6cf801528d7e6488d377a6feabbb80fb1499c81332c4c643911e96f0e1d
SHA512 32a60e55afffb34b77d9e8cd32c91c368e2a05c132be1a16a28d8a228ea9f191c6cadb339bcc4ca64a2c53e8ee411eefd7456e1a28f7f7b817e61b4f224051d3

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_editdlg_left.png

MD5 547e49a766811f66825c012a02002015
SHA1 f8f3dce9351a9a2c6691927334877c44a7c7fff2
SHA256 8e079bbf5af2b66416d807b6e81af7d6d947bf5176c56885cc8c12028735e2f1
SHA512 f90a9f24d6330cc2fba62bc341a263f47bf75880dee5de4115c0fc544db7010b1db74904c9aab78c19a7719256c196ca553cc41be3cc0d182f9a88994c4d2aec

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_floatdlg_middleleft.png

MD5 5a11d7c98ed9e0e6a183cd08e0277357
SHA1 9c48fb1e4aca2ab7d79ae456ceda557c6061610a
SHA256 9ccc6ebb78c522b3b525b550933577f407b5eeb6aa05b861faf2fbe48512c905
SHA512 2adf2a57743aa75b4712dd0915f952e48cf225cb5527a1f14d0697630a700ea22aa421f715a1e503ecaed36b863b61d4f80720f0aab05f66c62d7a3c0ae4dc99

C:\Program Files (x86)\Meitu\XiuXiu\XiuXiu.exe

MD5 9a935669eb071b5ef198d71ce072efc0
SHA1 085259a93d615604db2ad6178b24c35e4e34c67f
SHA256 4fa3e4a41c3f0ee36b1cac3f6d7b8ee0a54755b5eff28183784d2b630328f982
SHA512 9426222797b08c399289fa86d5817ba27756b051d715fe0d7bbb2ce9358d11f50ef29f98c5292473acf4dbc0c4ab4d085ce3c4e66aaa6e3daf25903186ce086d

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\ioSpecial.ini

MD5 551a04ffdfb231491711cda56b23528d
SHA1 0f1d81e32e13173331cc3f037125da62f8040181
SHA256 903c98d3663606c3c82b3477ab2871543b6bcc570170e81415183a86ebcd115f
SHA512 0db2828f7946053c106cff36bf3c72a5027d1a38027d82440ce2f4af87ae9670d11c1e31401ad96a0e472d23d250c6f736f182fd5a805cbe5ee89a6edf53e1f4

memory/2784-4469-0x0000000006410000-0x0000000006434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsq79E.tmp\ioSpecial.ini

MD5 e3aab7e841ea1535ec278972eb2cf0be
SHA1 2acd73f4459a16382a62cd387bd44680c68fd773
SHA256 dda8140de8218cab7eb8eb6000b670cafd07e1fb8fe993966220d1e9402b2f67
SHA512 bccaf2dd00c0958f7283f28413e005ba9387f91a5256656cfaf2b17c4771d50d36ece6f644c42d85c0e40005a8819b92bd28da6e8a801073bd6366e874c5f2b8

memory/3936-4475-0x0000000001E50000-0x0000000001E77000-memory.dmp

memory/3936-4474-0x0000000001E30000-0x0000000001E41000-memory.dmp

memory/3936-4472-0x0000000001B60000-0x0000000001E13000-memory.dmp

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 9a5fcae4238763998b638e3fb098f606
SHA1 5b3ecf6bb0ef60db50d1a35860836a8caa603998
SHA256 2a73fb15f09f381b11623b131146e1553a1b9f58828ea53e5754dfa60fcabada
SHA512 39b8c093a05b1fcaf39f3396c0c845f19b1795171d6fe99e8dea1a47fec17bc0a85339385620ed45ac4c39d4f1fdea6b93dca1be9b9ecb904455e63cc8d8cd48

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 688db2d7d864cd9675081f81170a7a12
SHA1 87dadd7248f8b65b14aa5903bcf61431a39a0d7d
SHA256 76769be3b317f3d875e480fa2af562042f1b645bad7e60646cd4db71988305ef
SHA512 4bce6cc24f7d60c1a0e819f907ffff10dfbd8c22f119824b19f73c2e853acddb5ce13b521a48eb02ca2faeb6d177e7e432514b670fbb47aa01f1b213b4ca0ee4

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 cf3f2a93f88d4ed8bc2d954c5f57656a
SHA1 6b34adec43f4f4edf85ee0beeb7da29279779070
SHA256 d9346403a4b3db66317632c76f74c9666044e72431139cae0502206d75f60773
SHA512 a53feb89ef4b4f09e3374246a6df32b402b1e59de55442f4f5317980e3b8de74cf96cb2ae0c0f50c53f2d6b4b2fc2d3a17f50a964e60efb97af60619c9841c09

C:\Program Files (x86)\Meitu\XiuXiu\Resources\RecentFiles.ini

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 f3b545f2b4e326bf38466e992e7a9e9e
SHA1 41e2abed93b17468cdb678f3c13330e1a7655dc9
SHA256 f0ebd3916cf9edb8ec0b2c6b6be8d885657d9a51a7ac38a533038fb56253ff14
SHA512 1736f25e3962948ac8a50b1667aecc91ea1e6d8776f6b2a828726dfd1012d05cb20bc9a05f5310eca3a4e429d10c613ab727851a3a9cfb069f3fc10f25dc4150

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 09:44

Reported

2024-11-18 09:48

Platform

win7-20240729-en

Max time kernel

148s

Max time network

150s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XiuXiu_aam-X64.msi

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Meitu\KanKan\KanKan.exe = "C:\\Program Files (x86)\\Meitu\\KanKan\\KanKan.exe:*:Enabled:KanKan" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Program Files\Internet Explorer\iexplore.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0A17BC17FF10008872A7205D0D43E2_608DEF97DFACECDA8E97C6F270153A4F C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0A17BC17FF10008872A7205D0D43E2_608DEF97DFACECDA8E97C6F270153A4F C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8F8712BCE78D28F9C5E3E950CD93EADA_4648AEEB5A95A91D43B71C1DA0AE4E3B C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\美图秀秀.lnk C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8F8712BCE78D28F9C5E3E950CD93EADA_4648AEEB5A95A91D43B71C1DA0AE4E3B C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\Internet Explorer\iexplore.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_general_deelblue_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_fore_statictext.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_main_recrop_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_member_ok_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_newdlg_bottomleft.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\setting\sepr.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\toolbar\adressup.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_save_cancel_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_bigsina.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\control\floatbar_btnbg_mid.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_borderstyle1_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\SimplifiedChinese\Menu.ini C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_st_dgst_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_save_success.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\SimplifiedChinese\DLGLEFTWORDEX.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_edit_border2_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_openeffect_simple_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\member_signinico3.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_menu_ptedit_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_floatdlg_bottomright.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Shipin\Egao\mtsc11594.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\ImgUI\login_bg.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Pintu\Moban\Biankuang\010.ptbj C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\icc\USWebUncoated.icc C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_meirong_mp_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\skin_filedlg_topright.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_general_bold_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_jgqt_tip_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_meirong_jmg_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_effectdlg_topmiddle.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\SimplifiedChinese\DLGNEWLAYER.dat C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_general_blue2_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_puzzlemb.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\ico_fore_random.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Meirong\Jiafa\mtsc11293.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_main_picinformation_d.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_fore_newqqkj.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Web\Dhsz\images\wzsc0001.gif C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Pintu\Moban\Diwen\mtsc101994.jpg C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_bg_magic_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_member_cancel_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_fore_bizhencj.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_ellipse_color_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Web\Welcome\images\help\2.jpg C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\xiuxiu\Effects\mtxx_caiqian.jpg C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\control\homeendbg.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\bg_mp_generaladjust.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Web\Welcome\icon\5049cd3f9b2a7235.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\PlugIns\KanKanPDF\Skin\Default\control\SideSplitter.png C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
File created C:\Program Files (x86)\Meitu\xiuxiu\Resources\hlsl\mtpe_rttvs.fx C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_general_right_d.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_main_size_d.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\ico_iphone.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\xiuxiu\Effects\Particles\6_3.jpg C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\control\left.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_borderstyle1_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_restore_a.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_right_tab_c.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\Sucai\Shipin\Jieri\mtsc11361.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\toolbar\search_clear_hover.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_meirong_qdqb_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_pen_tuya_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File created C:\Program Files (x86)\Meitu\KanKan\Skin\Default2.0\control\arrow_green.png C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
File created C:\Program Files (x86)\Meitu\XiuXiu\Skins\blue\Images\btn_gengeral_blue_b.png C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\XiuXiu.ico C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File opened for modification C:\Windows\Installer\f771d22.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f771d23.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f771d25.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f771d22.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E5A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f771d23.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\wan.ico C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\uninstall.ico C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SECURITYBAND\KanKan.exe = "1" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\KanKan.exe = "1" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\KanKan.exe = "1" C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2EF0F942-226E-4744-BED8-C1AFAABCDFFF}\d2-91-88-a7-e9-5d C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2EF0F942-226E-4744-BED8-C1AFAABCDFFF}\WpadNetworkName = "Network 3" C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPEG\shell\ = "open" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PCX\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\KanKan\\ImgFmt.dll,-107" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-91-88-a7-e9-5d\WpadDecisionTime = 300ac5c89e39db01 C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-91-88-a7-e9-5d\WpadDecisionTime = 305ab5009f39db01 C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPEG\DefaultIcon C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.GIF\shell C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.TGA C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\.JPEG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.ICO\shell\open\ = "美图看看" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPEG\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\KanKan\\ImgFmt.dll,-101" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2EF0F942-226E-4744-BED8-C1AFAABCDFFF}\WpadDecisionReason = "1" C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 010000000000000010229ccc9e39db01 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.TGA\ = "KK.TGA" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\OperationalData = "4" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.WMF\DefaultIcon C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PGX\shell C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PSD\shell\ = "open" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.TGA\shell C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2EF0F942-226E-4744-BED8-C1AFAABCDFFF}\WpadDecision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070b000100120009002f0009003702 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPC\shell\ = "open" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PGX\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\KanKan\\ImgFmt.dll,-112" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.CR2\ = "KK.RAW" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPEG\ = "Kankan JPEG 图像" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JPEG\shell\使用美图秀秀编辑和美化 C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.JP2\shell\open\command C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2EF0F942-226E-4744-BED8-C1AFAABCDFFF}\d2-91-88-a7-e9-5d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.RAW\shell C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.PCX\DefaultIcon C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\KK.WMF\shell\print\command C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.PPM\ = "KK.PNM" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\.DNG\ = "KK.RAW" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mtst\Shell\open\command\ = "\"C:\\Program Files (x86)\\Meitu\\XiuXiu\\XiuXiu.exe\" \"%1\"" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\shell\使用美图秀秀编辑和美化\command C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtpt\DefaultIcon C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JPE\OpenWithProgids\KK.JPEG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PGX C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\使用美图秀秀编辑和美化 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CR2\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.PSD\OpenWithProgids\KK.PSD C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mtdt\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\XiuXiu\\Images\\Icons\\mtdt_16x16.ico,0" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KK.skin\shell\open\command\ = "\"C:\\Program Files (x86)\\Meitu\\KanKan\\KanKan.exe\" \"%1\"" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JPG\OpenWithProgids\KK.JPEG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.JNG\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.SKA\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PPM C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mtst\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\XiuXiu\\Images\\Icons\\mtst_16x16.ico,0" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mtpt\Shell\open\command\ = "\"C:\\Program Files (x86)\\Meitu\\XiuXiu\\XiuXiu.exe\" \"%1\"" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JFI\OpenWithProgids\KK.JPEG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.PNG\OpenWithProgids\KK.PNG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JPC\OpenWithProgids\KK.JPC C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nlf2\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\XiuXiu\\Images\\Icons\\mtnlf2_16X16.ico,0" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf2\Shell C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.JPG\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.SKA\OpenWithProgids\KK.SKA C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mtww\DefaultIcon\ = "C:\\Program Files (x86)\\Meitu\\XiuXiu\\Images\\Icons\\mtww_16x16.ico,0" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MRW\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PTX C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.DNG\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.TGA C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.PGX\OpenWithProgids\KK.PGX C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RAS C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MNG\OpenWithProgids\KK.MNG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.JNG\OpenWithProgids\KK.MNG C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kks C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.PGM\OpenWithProgids\KK.PNM C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ARW\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.KDC\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5948C0487838E034B936BD7F41486748 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtjt C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BMP\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mtjt\ = "MTJT" C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtbk\Shell C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.nlf2 C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PNG\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.JP2\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RAF C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mtjt C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf3\Shell\open\command C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mtdt C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mtdt\Shell C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KK.skin C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\neoframe\DefaultIcon C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf\Shell\open C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PCX\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PNM C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.SR2\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.NEF\OpenWithProgids\KK.RAW C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88B26C234A892F14A94EAE662952A65E\PackageCode = "3FE7E62EFE9837F46AC519E336724A06" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nlf2\DefaultIcon C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kks\ = "KK.skin" C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.SRF\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CUR\OpenWithProgids C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WBM C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: 35 N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: 35 N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A
N/A N/A C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1488 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1488 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1488 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1488 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2300 wrote to memory of 800 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 800 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 800 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 300 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2300 wrote to memory of 300 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2300 wrote to memory of 300 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 300 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 300 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 300 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 300 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 300 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 300 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 300 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 300 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 300 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 300 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 300 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe
PID 2300 wrote to memory of 2676 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2300 wrote to memory of 2676 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2300 wrote to memory of 2676 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2300 wrote to memory of 2676 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe
PID 2300 wrote to memory of 1108 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 2300 wrote to memory of 1108 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 2300 wrote to memory of 1108 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 2300 wrote to memory of 1108 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 2300 wrote to memory of 1108 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 2300 wrote to memory of 1108 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 2300 wrote to memory of 1108 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe
PID 1108 wrote to memory of 1584 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 1108 wrote to memory of 1584 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 1108 wrote to memory of 1584 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 1108 wrote to memory of 1584 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 1108 wrote to memory of 1584 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 1108 wrote to memory of 1584 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 1108 wrote to memory of 1584 N/A C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe
PID 1584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 1584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 1584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 1584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 1584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 1584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 1584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\KanKan.exe
PID 1584 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 1584 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 1584 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 1584 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 1584 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 1584 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 1584 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe
PID 1296 wrote to memory of 2028 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 1296 wrote to memory of 2028 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 1296 wrote to memory of 2028 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 1296 wrote to memory of 2028 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 1296 wrote to memory of 2028 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 1296 wrote to memory of 2028 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 1296 wrote to memory of 2028 N/A C:\Program Files (x86)\Meitu\KanKan\KanKan.exe C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe
PID 528 wrote to memory of 2732 N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe
PID 528 wrote to memory of 2732 N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe
PID 528 wrote to memory of 2732 N/A C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XiuXiu_aam-X64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003EC" "00000000000005B0"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 89A5D7811CD01BB1D94DF42715BB8674 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DeliverZealousOrganizer','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\ZwBOUOWNBGvtCMZycNirmuYkVxRBKO" -o"C:\Program Files\DeliverZealousOrganizer\" -p"997173P:Vt]7}%8!6a+u" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\TmqervRMoMJhXYcsvItByQcGNQmuHu" -x!1_jyPHAcnkRKeV.exe -x!sss -x!1_AHsWmFUtsdcfXwklmBBALPyTMxykDh.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\DeliverZealousOrganizer\" -p"5651233n+24@Dcz?!m_F" -y

C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe

"C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\ZwBOUOWNBGvtCMZycNirmuYkVxRBKO" -o"C:\Program Files\DeliverZealousOrganizer\" -p"997173P:Vt]7}%8!6a+u" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe

"C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe" x "C:\Program Files\DeliverZealousOrganizer\TmqervRMoMJhXYcsvItByQcGNQmuHu" -x!1_jyPHAcnkRKeV.exe -x!sss -x!1_AHsWmFUtsdcfXwklmBBALPyTMxykDh.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\DeliverZealousOrganizer\" -p"5651233n+24@Dcz?!m_F" -y

C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe

"C:\Program Files\DeliverZealousOrganizer\jyPHAcnkRKeV.exe" -number 192 -file file3 -mode mode3

C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe

"C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe"

C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe

C:\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe /S /K /D=C:\Program Files (x86)\Meitu\

C:\Program Files (x86)\Meitu\KanKan\KanKan.exe

"C:\Program Files (x86)\Meitu\KanKan\KanKan.exe" -Install

C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe

"C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe" "http://kankan.dl.meitu.com/update/KanKanPDF_Setup.exe|SW_HIDE|C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\pdf_dl_head.bmp|ÃÀͼ¿´¿´PDFÔĶÁÆ÷|KanKanPDF_Setup"

C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe

"C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe" <software>MTKK</software><style>0</style><wparam></wparam>

C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe

"C:\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe"

C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe

"C:\Program Files (x86)\Meitu\XiuXiu\xiuxiu.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://xiuxiu.meitu.com/success.html?code=2E75AF03F05058A80338EEC7671D8C6B6BD079DE09B757B3895DF24E1D3F8F9C4

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe

"C:\Program Files (x86)\Meitu\XiuXiu\MtHuaBao.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 kankan.dl.meitu.com udp
GB 38.175.44.18:80 kankan.dl.meitu.com tcp
US 8.8.8.8:53 data.meitu.com udp
CN 183.57.36.11:80 data.meitu.com tcp
US 8.8.8.8:53 xiuxiu.meitu.com udp
CN 183.57.36.11:80 data.meitu.com tcp
GB 174.35.118.63:80 xiuxiu.meitu.com tcp
GB 174.35.118.63:80 xiuxiu.meitu.com tcp
US 8.8.8.8:53 sucai.meitu.com udp
GB 174.35.118.63:443 sucai.meitu.com tcp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
GB 163.181.154.202:80 ocsp.dcocsp.cn tcp
US 8.8.8.8:53 xiuxiu.dl.meitu.com udp
GB 174.35.118.63:443 sucai.meitu.com tcp
GB 174.35.118.63:443 sucai.meitu.com tcp
US 8.8.8.8:53 w.cnzz.com udp
US 8.8.8.8:53 pc.meitu.com udp
GB 38.175.44.19:80 xiuxiu.dl.meitu.com tcp
CN 106.225.241.95:80 w.cnzz.com tcp
CN 124.70.109.158:80 pc.meitu.com tcp
CN 124.70.109.158:80 pc.meitu.com tcp
CN 106.225.241.95:80 w.cnzz.com tcp
US 8.8.8.8:53 tuiguang.meitu.com udp
GB 163.171.129.134:80 tuiguang.meitu.com tcp
GB 163.171.129.134:80 tuiguang.meitu.com tcp
CN 183.57.36.11:80 data.meitu.com tcp
CN 183.57.36.11:80 data.meitu.com tcp
CN 106.225.241.95:80 w.cnzz.com tcp
CN 124.70.28.99:80 pc.meitu.com tcp
CN 124.70.28.99:80 pc.meitu.com tcp
CN 106.225.241.95:80 w.cnzz.com tcp
CN 183.57.36.11:80 data.meitu.com tcp
CN 183.57.36.11:80 data.meitu.com tcp
CN 124.70.109.158:80 pc.meitu.com tcp
CN 124.70.109.158:80 pc.meitu.com tcp
CN 183.57.36.11:80 data.meitu.com tcp
CN 124.70.28.99:80 pc.meitu.com tcp
CN 124.70.28.99:80 pc.meitu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 163.171.129.134:80 tuiguang.meitu.com tcp
US 8.8.8.8:53 sucai.dl.meitu.com udp
US 8.8.8.8:53 xiuxiu.int.meitudata.com udp
GB 38.175.44.17:80 sucai.dl.meitu.com tcp
US 8.8.8.8:53 tuiguang.meitu.com udp
GB 174.35.118.62:80 tuiguang.meitu.com tcp
GB 174.35.118.62:80 tuiguang.meitu.com tcp

Files

memory/2300-12-0x0000000000170000-0x0000000000180000-memory.dmp

memory/800-17-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/800-18-0x0000000002480000-0x0000000002488000-memory.dmp

C:\Program Files\DeliverZealousOrganizer\twtiuWMTMVYtAYTeUctRIfaDFjggmo.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DeliverZealousOrganizer\ZwBOUOWNBGvtCMZycNirmuYkVxRBKO

MD5 a7d3a5214caecf57327e4f269a5f061f
SHA1 874f231cf6a23687103e23b1c06e403861e8bbf0
SHA256 d54ce43a2eeb1e803ab53acb17490bc019fd5e05f6d26140ed5d9af8069061f0
SHA512 7a154f8224ac15fa6dd577e6ee813941483f9d8cb0b9256cf36ebd79412d5294a4af4d55c7cff265f8180a2e205c3d346f6ac50ba248c26dc87c3e006f607840

C:\Program Files\DeliverZealousOrganizer\TmqervRMoMJhXYcsvItByQcGNQmuHu

MD5 ed74094421da665fbfd4412225e69346
SHA1 e2f83ce3bb85e6af4629fb2c9513355c9f73e0be
SHA256 55d85c66b199f11061c55d2979bb0cfdba9f0cb664512acc11ee44151303624b
SHA512 5680aabcdb7f120726d83ba870366f5b101404609953c6238c85f302cc980f4e4ee4f7c4c5d82051bb39714f8d36d8ac2c0dc19d5055276d573a370aaa210cdf

C:\Program Files\DeliverZealousOrganizer\2_jyPHAcnkRKeV.exe

MD5 1dbac51bdc31b8cfabad114632c79387
SHA1 5b12034a85babb663e77aecd4f9281cbf9eda8b5
SHA256 afe4508718d079d7f304107ebd44499fd203f4efafa1ac47180021a39602ad28
SHA512 6ed9d5e50c2b59ab4c1305d02f258dbdf219484743d7e6efb475ca1d2dc2ed8e5bd92f0e3c6e268a06cb40f1030b842761066fcf45a6da4a253905a4028f6ea3

C:\Program Files\DeliverZealousOrganizer\XiuXiu_360Setup_4.0.1.exe

MD5 d991a77e68513af69324a17c89ef9ec6
SHA1 87d998be8110f12988825daa8fc4e1bd72d4b175
SHA256 e90176f57687096d8605b93770c7f622cb28b96da12e9d837ba7ef4b8b6e419f
SHA512 e909003232a6395f2198d9d401cb8c39cda2837a9d9dd535a0bccc5759f5d49e037041f5814298644c4a742ea2661483868a17fc48ca9c33513a06d6b3757081

C:\Config.Msi\f771d24.rbs

MD5 fe86a34a5029dc654aace54906fc69ee
SHA1 b3a3f7e53c17767835aa4b0f9830b7719dfc69b2
SHA256 7bdc7b99a815c45924799f3e36aa411aeeb1c1f586550b188f51d62f647ea6ba
SHA512 269255222a2ed13058c1900641b19497ba6600fd89549c3c3983e7b917e9ca3aeaa80d2d67da0fffb29c939120072224e8a3bebfb85c63a86cda49da82986198

memory/2676-59-0x000000002B130000-0x000000002B15F000-memory.dmp

\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Windows\Installer\f771d22.msi

MD5 4bb380192889a55fb6c183f8053bedd1
SHA1 1016f0c66c398e28416a457d63f5e066edd7bffb
SHA256 34b150091d625d345d47c908841b2570455388c910e78e1403313fce2e5f2ae3
SHA512 00358460e128f3713a1c0ba7d9581bc7592c7bcb42de1d3201bed67a02884a0e31e7a7a672fa85a105736ddd6f4d6033bed85bc56699c1c96f5a1a018805ccb8

\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\InstallOptions.dll

MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
SHA512 13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

C:\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\meituWel.ini

MD5 01844cc472856feda4c9a4ef6349ec19
SHA1 c2304d73bfa08ae9e31be42572464ea5083e60db
SHA256 5ffebcd8da81e35915b13a4e875fb9b8ad143c6450d821042678b7e36f7c9c68
SHA512 cc5fbf5bf1f23bae0bfa660de383028d4cda9f04c62396b4b17a63872c12b1107904dfe6501b5fbc139ab43c40d06289937bad4ccbcd03e7a2f7d5ac1f162d61

\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

C:\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\progress_2.bmp

MD5 77e9a33a1b46088dc9d71bb6b574a2a4
SHA1 8b8dabf1445dd2ae0af77001d7e5810424eed4d7
SHA256 dab5c9ab81a165868685202bebf4e1ead49609c1718f53b60a920331aa60b943
SHA512 3234b163dadb25f084801db876600201897dc3d6bd9ebd215151207cdd9a215f8cc97d30111cdd9a3e4a38de484f29c6a78612e16e34758cbf327972c69a3811

\Users\Admin\AppData\Local\Temp\KKSetup_1008.exe

MD5 b242ab102d9eac948bb306f387fa2700
SHA1 198c188181a090857380182f7aa0518a5bf1e882
SHA256 9bc6d92cf648a975676dc385c9361b91ad18841b4b5b68b1dfd260f4bdf5c10c
SHA512 ef2d3a3de128f783958b3aa39436d85ce6e928ca84cc32413044c547398a708d20eb29d458bb5d3373e6a06a88d186028f095dbaf41f6769f42fe8885b82fc72

\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\AnimGif.dll

MD5 63f11d04d07615bd610c857d0abdbed5
SHA1 fee63014806f8250c3e301a219fc43ef4b3a8f19
SHA256 a1fa2e0191f986824f5fc0ef62aee8b4b25695cc56d4b00fecdc1c92f8ea237f
SHA512 211f3689df9c219507072f71e9795e74cf9dd3a37f32330d8b7cb5cf335b9aec6f874df2e5fabf90e7f3e4d61655f7674d1ca94cd7d7ec4244a153019c334e23

C:\Program Files (x86)\Meitu\XiuXiu\Images\Icons\mtpt_16x16.ico

MD5 4cf2515afe0c0e391704ab2be82cfae4
SHA1 4e09f5fd32791a54a66962803975f451b9b86da3
SHA256 2975919f27904a5eb73a8eea404793b78a14ced350697b631264f57e5d7faae6
SHA512 ba7dab36991cb2cf4194bcf7ebb6b92b3d792505c082d16aea78ca83aa2466fd652c183334e65f32ad57e0e5c4c5a74b70aaed253e6d280a12f325460cebbb2c

\Users\Admin\AppData\Local\Temp\nso9F7B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nso9F7B.tmp\Processes.dll

MD5 2cfba79d485cf441c646dd40d82490fc
SHA1 83e51ac1115a50986ed456bd18729653018b9619
SHA256 86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512 cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

memory/1584-897-0x0000000000380000-0x000000000038D000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Program Files (x86)\Meitu\KanKan\KanKan.exe

MD5 527c5a0b0021723d888c2f4138256f45
SHA1 344d12acba1b81ed23d034e576c063439ac2192d
SHA256 b577edc7b1d338c0ed4488996c2d7af18f52aba9b06b33178ae7dbc7c19b7e7b
SHA512 0754c93e5e84a7e792cbacc19074072a810d7b6f3c35c5c629cf3c34f1cd57ca0a3ab022b502e8d64d79f1a49688263d00a3fcbd13f5740430741d19f133a9be

\Program Files (x86)\Meitu\KanKan\uninst.exe

MD5 2fdcb8f9b185553997f125330de2e045
SHA1 6e885aa2014efc2de0382719c9fea335389d78cd
SHA256 90de46b752e5bae7e963f09ca6045750dea062625ae87f7d40b7650382f25833
SHA512 da9d1b050a4598bcb2dee71161fb38174e860cb42676ad87d1881610fc13490ceba922420b197c0ef5e09e1fda2d517c5866c23818fac59d23867c2a2ed89479

\Program Files (x86)\Meitu\KanKan\mtkkDownload\mtkkDownload.exe

MD5 f2f3acecc11522414e9364b29d9a9fea
SHA1 968ebc7a3d47050f1f47d97b5ef85c8410d60a3a
SHA256 0335953a89eadae5faa4ef5257d3ea25d396d780f113868c28996f2c6636caa6
SHA512 37dea69b21399954855a727c5049b252bbcc7fcb4a8b8d417606987d91f75b5ccf3beaa90a0113b488ffad061e2f303e623f5c477cf398b000629098f584c10c

C:\Program Files (x86)\Meitu\KanKan\MeituUDUI.dll

MD5 8e553252581158a85b2bb0c1b6bc0d3d
SHA1 193998d5662811fe6da7835d79b3ba339d147708
SHA256 40e2535f7e8ee656ea3c0bc88a1853086f152835c5e8f5dc05cd06843bc83f03
SHA512 181964959cc0bf0a4cbe4560441bd0dcca7ff38d31d02a69969b842f91256661cfe8d6941d444b3773395f89a89708b7b3ba8df40681c35dd7f8e30b2c238672

C:\Program Files (x86)\Meitu\KanKan\mtkkDownload\pdf_dl_head.bmp

MD5 b9ec1bdc76fac4960a34438143612b58
SHA1 9413dec247a4785e44851b068728cb156f5676a7
SHA256 2956f7246572ad58a9a15424d1111911c1c67aae881f28e646b472b456833e24
SHA512 c49ea1e95aeebd8daf178565aad530c823be773dd315dddb3d4e6c62cbf078f5042d76918e683299a9c3da3cb7621733bbc3d4cc4ad24a63ca6b5d33040e69c9

C:\Program Files (x86)\Meitu\KanKan\LibImage19.dll

MD5 07723f56376edadc4eaefc6180779144
SHA1 9be4aca6e6615d6db82b5d624cac4cb16dbf0b68
SHA256 f9fe7f1007b0a074b3b38764dd56ca670cf4f3185991691e58a68fe6bcf444d9
SHA512 53542fc068b57b085f042d3581747315020bb4ed30d40af575c85c02749fb812de2e7d966aecb96d051cf7e4547609049f08cb10bd52d0fcdb2af80911f5092b

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_color_all_a.png

MD5 2b305b852a5fb2b7560ec67a57e317dc
SHA1 da0d8c347482b0e3680c695226955445e1ddbd80
SHA256 0748cbd259ddd788e0b441d9389f5c5b5ba32f7ba48ee1d4ca9bc2972cf06d55
SHA512 c6f01beba5da5a53b766f25033c3aa138ee5bfbcaad4cc771595c16949bd5b3f6e14f7a22bce1c996d84ce49b8fda3e187fb8ffb08a37d5106514cfb4232a832

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_restart_b.png

MD5 665f931a7b46ef178e5e7aa0cc0a012f
SHA1 99570a989d750810757326f8a5207fac0abe44de
SHA256 d926eab773d19b7e7ea592f2b824053591242977d7a6aeda1492ff4dfa7caf45
SHA512 6d0d38c84249321cd72f10cb9c1aa7c1b0af2052c257da211a5117ae98ea4fdcb79893f7e0d0b42c7fbb9b708a86806aa372b022c1167dc15e15e9b4d66bb7d5

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_dlg_tab_b.png

MD5 84a28feb8e909643d4a85bd9b5e2b46c
SHA1 108770da9ddefbc253b5bf794d3af75dd048eb78
SHA256 25dd1aae0fdf32ec30d4734e47715b2c9ad03fd3e5bc75f94e4d5f640a027831
SHA512 8ee9ba0a86e7f85e104d9c384d164df018eb97f64e9fd8f4dc90e2f930384928cc7dc9658a461b0b9e5e26a505394ea3bfce8b48e9030ad23e85075daa11cc57

C:\Program Files (x86)\Meitu\KanKan\KanKanST.exe

MD5 bfeb11a7f3d06750f3fb8e63ee20d2b1
SHA1 130c9f07bc35cddcc5b2512da8fb57beee4ea4c2
SHA256 e506ffc471babad45008a9a84c67742e2df1de86d1f04685a002f3124a18cb4f
SHA512 deb46cd2fd04bf3b3fdc4237216372ce1eaa7fc1608fd1a6ef041e385ef67163efa8c9cfe9f9f39261b6c69b04a1bb5641c93608c19261e78df025e44d25a2ea

C:\Users\Admin\AppData\Roaming\Meitu\KanKan\Config\config.ini

MD5 b43c4c2e11798abda63c545867143b5a
SHA1 961d08437b20ce70dc5761d6db3297bc4e4b1ecd
SHA256 caa83a408faf76cd137b8ab12f9cdf2ad13b1eca26f6f0944a9ec9aeff830b0e
SHA512 24c8faf9139ddc59cc59800dba50a2f3514b7d06f3652141b95836e3c11b8a692d1d7283ef93f3d253aa718e25ccaa8a98cea6ade39f60d18a19dab48ebda641

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_main_cut_b.png

MD5 015d3be58a08142679edd14943dce460
SHA1 1c0bcf40b02a043c8d1744e1507424086345982a
SHA256 df54fddf4cded398c109cf6a6050dcbafe55f50876f4f27160cb6bd016f13cbb
SHA512 d2377da0d057f5f90cb78381fe90cb174bfa29d3d7a778bc3bac561912dd1a30c5885397f4bb081aeb3d5d24a5490ac30ddfc222dcf94e83b1a43d1dba147b08

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_main_information_b.png

MD5 d3d94c7695e3970489be29065a71385a
SHA1 da67f4149e6be2263bc861fe40b3209dec22582f
SHA256 dd11dda8950c17975b44433d38e27fbfdafe5dca27eb5f43404927dc0d3f2483
SHA512 c19eb576393f27c7b7c2b1dab1c5e64496ff849ea104b4562d6e95265e4f26acf7338acac840df760a1b9a9cb9298a556f4246a07cd34a01ae5b5a556c2c9879

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\btn_tabmid_flow_c .png

MD5 0f2618b430d0a6c665fce738d34d3d1e
SHA1 a3737dbb2d222be90820eb7eed3d352c3c750a4f
SHA256 66dff6cf801528d7e6488d377a6feabbb80fb1499c81332c4c643911e96f0e1d
SHA512 32a60e55afffb34b77d9e8cd32c91c368e2a05c132be1a16a28d8a228ea9f191c6cadb339bcc4ca64a2c53e8ee411eefd7456e1a28f7f7b817e61b4f224051d3

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_editdlg_left.png

MD5 547e49a766811f66825c012a02002015
SHA1 f8f3dce9351a9a2c6691927334877c44a7c7fff2
SHA256 8e079bbf5af2b66416d807b6e81af7d6d947bf5176c56885cc8c12028735e2f1
SHA512 f90a9f24d6330cc2fba62bc341a263f47bf75880dee5de4115c0fc544db7010b1db74904c9aab78c19a7719256c196ca553cc41be3cc0d182f9a88994c4d2aec

C:\Program Files (x86)\Meitu\XiuXiu\Skins\red\Images\skin_floatdlg_middleleft.png

MD5 5a11d7c98ed9e0e6a183cd08e0277357
SHA1 9c48fb1e4aca2ab7d79ae456ceda557c6061610a
SHA256 9ccc6ebb78c522b3b525b550933577f407b5eeb6aa05b861faf2fbe48512c905
SHA512 2adf2a57743aa75b4712dd0915f952e48cf225cb5527a1f14d0697630a700ea22aa421f715a1e503ecaed36b863b61d4f80720f0aab05f66c62d7a3c0ae4dc99

\Users\Admin\AppData\Roaming\Meitu\KanKan\mtkkDownload\KanKanPDF_Setup.exe

MD5 324d3657d098174c35079c5c615725f5
SHA1 b36ab315a59d1489b3a7f8caac75a8baa818f023
SHA256 6a7645e8e1dd98f8d11fde9e46499260012535fe1175fd723da7c4790332096e
SHA512 00dd41c61511c990edfaff34ea992411a6aa54bbcbfd91b5837df3510658d32a0756929ad441846033a5ed004adc405f8ce9b803ace1ce05bd067982fe8e41e4

C:\Program Files (x86)\Meitu\KanKan\PlugIns\KanKanPDF\KanKanPDF.exe

MD5 778c69b5d6bd84ad731861496e8b976a
SHA1 4a4d6f67ad6b92f62f7e396651933225cc4ea428
SHA256 d6456fdc1f879ffd5d951c6ab11cba47d4b6c7836dd2fc1c0e6b4a3c301ad344
SHA512 fa310b4248d62a4a06bea92e120051f810782a7ebe7b4cc42c89986258e7f8d46ca3dd72c1df02e799879573c0389fe28f5ad7011af44bfad3d569059847f870

C:\Program Files (x86)\Meitu\XiuXiu\XiuXiu.exe

MD5 9a935669eb071b5ef198d71ce072efc0
SHA1 085259a93d615604db2ad6178b24c35e4e34c67f
SHA256 4fa3e4a41c3f0ee36b1cac3f6d7b8ee0a54755b5eff28183784d2b630328f982
SHA512 9426222797b08c399289fa86d5817ba27756b051d715fe0d7bbb2ce9358d11f50ef29f98c5292473acf4dbc0c4ab4d085ce3c4e66aaa6e3daf25903186ce086d

C:\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\ioSpecial.ini

MD5 9763d682226b54dd2d2d5e3ecd10a5ee
SHA1 9e018ebda5806469459d14477c8ff7002589048a
SHA256 c209b27b6bc102841854c2b61f516894065094e22b8af327814b55a4c8fca910
SHA512 9e002a18ec73a68f232eb8f5180f25fab86955e41c6e57451ad322c5892d269dd60c890010a635e27358d64b78d8834b0ee4215225c2cfae00d633824f7c2bea

C:\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\ioSpecial.ini

MD5 03428e7f06b76dfdfabe58309d17f784
SHA1 878bbb89482c6a218b253c9836e9422f1f97e002
SHA256 9712e88d8267975587c31fcca7f4e24f9ff65c8db90da798778e7ad06b1e29b9
SHA512 4cca034dcdadadc7bcc386ececbca6ca14f632222e90c58ad5f26c9092e07ca5742b0f40584e10e7f8963c53d0e5a3026f269caed373ac8627df84f0fffe492b

memory/1108-4407-0x0000000006490000-0x00000000064B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse3CD4.tmp\ioSpecial.ini

MD5 b7d51d6590edb925f0541d795010a50b
SHA1 e34027b98d288960ee8b098d7e73ff8ce3661d34
SHA256 39a613b9bb7573c99d8efb01d07cbe3cbe178e422d6297f96006336c1dd51c7f
SHA512 498a5d70da483a2786ad19b639a6e353bade20afd07e20ca27709b54e1a1c87b1fff0c62b486b1586e080e3abeadcaa26dd40b9d272b181f57ff468e6dd3c43a

memory/1916-4447-0x0000000000210000-0x0000000000225000-memory.dmp

memory/1916-4448-0x0000000000230000-0x0000000000241000-memory.dmp

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 87da1aacfdfe95f5bf9c1f751e7b99d3
SHA1 d236fff5356aa9d8fe41fcd99aff1cd913b60e19
SHA256 025453659453d60b7848d0ac4b18938f6eb614b84990d139bb05d773688ddd4e
SHA512 d934106c15746fd77bd8104f35c18bbcb2b56f5ef759ff01f684511c2ea563d72298abcedbd1bd43ee2c39055e289222d8e253436cfd93fa4f7cd6d4c00efe33

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 9e3aa783ff2fd5ee6dc5730a86ba1a37
SHA1 3b9d9c80cd50f86b946d48d4e161daafbd343136
SHA256 9d818a4701651af764926f2dd4220b70d92af1393d1fc8a5d4e97df60dac7f03
SHA512 5a4d369d17d8bba9cfa00ab728b9607710134eb02c67746e945f07d3bd40f4d1c9c8ff599668c68aa69516ead5e1044a0341ba7ef63ed22af11adb3eb2207b08

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 909971cd166b262f28372eaf5ccb3c23
SHA1 c122511a69a119164ec3eaeb167d416a590c47bf
SHA256 e7de9c57a6a678be4a3233433d2a35fdf0698ff200ede710981a3b09652f4187
SHA512 aba808ac7777309d466d898b216f7b0585a20fff54400b84f6e3cf189211c058576484961dfb8b03497d0efd3fb8225214b76bc91f0d56b77f159d61706deb53

C:\Program Files (x86)\Meitu\XiuXiu\Resources\RecentFiles.ini

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Program Files (x86)\Meitu\XiuXiu\Config.ini

MD5 2d9375466e5a63a3fda6754a3b354507
SHA1 e17c11168aea97c143e7607fac2d67bf6849b212
SHA256 9569bb54ff5b9f32efc403bd8e405ae130a24d5e0be171bf58a5cd633b14cdeb
SHA512 efa95a2eccbb6307fbed00f9a6b0f093bdcbb6c2f79d3aab1761b4e484c17516440cee37f0bf4fa8b8fd5ab624920f4197af3d742823182c939f1e8ac3e1da27

C:\Users\Admin\AppData\Local\Temp\CabD5D8.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD765.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 56dbaed19b59e1b1ab855cd342ed23ad
SHA1 b16ff987f750f45f9a786b823ae4f8e6253e2ce4
SHA256 345c976744700232c70fb6467a1262f2135768c86f4058f45163d32d992bbd3b
SHA512 8a86b8d76450f08ef84c4c510997e5c38bb50a829be7a4ef58ede55170047300c5130835938bdd623d5086d1fe7459bcfb125fe35f17dd1731f916bddfcfe786

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 b2b3f8915e223b2e9a7d607c74e793fc
SHA1 b48cfd438a8f88dc747fa6c221f694250d2e0014
SHA256 215f331ac6e73750e680340b3d81d2d20102f75536f8ab0233cfe75996fb813b
SHA512 b83b506fa13f022b7cedf26e1fe0582dbbec9d6d6c8a234e4e0272dc7a2a8ac0b70e9bb98716a8eee2455c7b8df56a433715332572e8efd7dbc40ca29ba53fa1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery-1.8.0.min[1].js

MD5 cd8b0bffc85bb5614385ee4ce3596d07
SHA1 359c6c1ed98081b9a69eb3513b9deced59c957f9
SHA256 d73e2e1bff9c55b85284ff287cb20dc29ad9165ec09091a0597b61199f330805
SHA512 00e0cbee27607df41e36c61d4f3badd3d9f3f4020d723863e231c3ef61dc2e2aec89d6c2f2dcfe7687fb81c78e0900fc5ac91eb9115f27d0ac8194c794c88e62