File name: | 金山清理.exe |
Full analysis: | https://app.any.run/tasks/f8cdafb7-8402-47fe-8da5-7a5736459ffc |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 16:13:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 5A56D748F64956349B5C3CAF8A0D38FA |
SHA1: | 160B5676C0EAF1206E12322E3CFA296546CCD9EC |
SHA256: | 04C19FC6A56E587FCE652F0BCAE521D028F0D2E2F4D6D5B86BF03694C9D53944 |
SSDEEP: | 98304:tKDJ/fEdK2lgsnlzrjmZx8YcmhuSSAFMYAx:qeblCOSVAx |
.exe | | | Generic Win/DOS Executable (50) |
---|---|---|
.exe | | | DOS Executable Generic (49.9) |
ProductVersion: | 9,3,286644,16275 |
---|---|
ProductName: | Kingsoft Internet Security |
OriginalFileName: | kcleaner.exe |
LegalCopyright: | Copyright (C) 1998-2016 Kingsoft Corporation |
InternalName: | KCleaner |
FileVersion: | 2016,08,04,16275 |
FileDescription: | 垃圾清理 |
CompanyName: | Kingsoft Corporation |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 9.3.24500.16275 |
FileVersionNumber: | 2016.8.4.16275 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x22e50 |
UninitializedDataSize: | 90112 |
InitializedDataSize: | 20480 |
CodeSize: | 49152 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2012:12:30 09:49:49+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-Dec-2012 08:49:49 |
Detected languages: |
|
CompanyName: | Kingsoft Corporation |
FileDescription: | 垃圾清理 |
FileVersion: | 2016,08,04,16275 |
InternalName: | KCleaner |
LegalCopyright: | Copyright (C) 1998-2016 Kingsoft Corporation |
OriginalFilename: | kcleaner.exe |
ProductName: | Kingsoft Internet Security |
ProductVersion: | 9,3,286644,16275 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0060 |
Pages in file: | 0x0001 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000060 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 30-Dec-2012 08:49:49 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00016000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00017000 | 0x0000C000 | 0x0000C000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.91441 |
.rsrc | 0x00023000 | 0x00005000 | 0x00004800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.62619 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.92411 | 1342 | UNKNOWN | Chinese - PRC | RT_MANIFEST |
2 | 6.62127 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 5.69925 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
128 | 2.45849 | 48 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.DLL |
MSVCRT.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3956 | "C:\Users\admin\Desktop\金山清理.exe" | C:\Users\admin\Desktop\金山清理.exe | — | explorer.exe |
User: admin Company: Kingsoft Corporation Integrity Level: MEDIUM Description: 垃圾清理 Exit code: 3221226540 Version: 2016,08,04,16275 | ||||
2144 | "C:\Users\admin\Desktop\金山清理.exe" | C:\Users\admin\Desktop\金山清理.exe | explorer.exe | |
User: admin Company: Kingsoft Corporation Integrity Level: HIGH Description: 垃圾清理 Version: 2016,08,04,16275 | ||||
3472 | "C:\Users\admin\Desktop\金山清理.exe" -sfxwaitall:0 "kcleaner.exe" | C:\Users\admin\Desktop\金山清理.exe | — | 金山清理.exe |
User: admin Company: Kingsoft Corporation Integrity Level: HIGH Description: 垃圾清理 Version: 2016,08,04,16275 | ||||
2620 | "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\kcleaner.exe" | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\kcleaner.exe | 金山清理.exe | |
User: admin Company: Kingsoft Corporation Integrity Level: HIGH Description: 垃圾清理 Version: 2016,08,04,16275 |
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E1A90C5-52A6-494c-A81F-F38C632C77A2} |
Operation: | write | Name: | Test |
Value: 0 | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{10C4E843-C226-3FDF-9DD6-F4E3275E734D} |
Operation: | delete value | Name: | InstallSource |
Value: C:\aea047f5359231e30f22032205cba6\ | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83218092F0} |
Operation: | delete value | Name: | InstallSource |
Value: C:\Users\admin\AppData\LocalLow\Oracle\Java\jre1.8.0_92\ | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} |
Operation: | delete value | Name: | InstallSource |
Value: C:\Users\admin\AppData\LocalLow\Oracle\Java\AU\ | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} |
Operation: | delete value | Name: | InstallSource |
Value: C:\Program Files\Google\Update\1.3.34.7\ | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} |
Operation: | delete value | Name: | InstallSource |
Value: c:\e2c70ca8eee80100f5f28b\ | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} |
Operation: | delete value | Name: | InstallSource |
Value: c:\b4d64a262fcd3111c7e9f37449\ | |||
(PID) Process: | (2620) kcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook |
Operation: | delete key | Name: | |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\data\cleanlist.dat | binary | |
MD5:F830EE9904C172252ED07E4CC00ACFA2 | SHA256:2718B366C6527F58A6BAA70192F04C324420C958A939F56E12B99B9F1E84BD1B | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\security\kxescan\ksreng3.dll | executable | |
MD5:C8FAF050931B34D4302DF68245DE63E4 | SHA256:1269E5D959E312A061493CF0BCC7816EC6972AD1472C755964A4C03CD12BD342 | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\data\kcleanerselectallrisk.xml | xml | |
MD5:2C129D95D102BE5F2633FA6FB12D6DE4 | SHA256:9FCDF85FFC0808DA22B267DAEAFAA8F8ADFB41127C5E26D63CCEDC8E51DB268E | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\kskinmgr.dll | executable | |
MD5:D470D592330FE6BD42F82B9730BC63D8 | SHA256:82279779288AF5EB11327DAD830C05B859B51840C04C66A05A3ED1CB6CAB5DE2 | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\security\kxescan\config3a.dat | binary | |
MD5:457D1808DEF819B70D2D0173402B5883 | SHA256:E31A0CAB632BEDA4D88D8B5CFD63533CFDEAD5D0B3524B8E641227949666A849 | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\kcleaner.exe | executable | |
MD5:A98DFA85719E966A0BC67E79B38BA331 | SHA256:7241E288945650610B4514D5F1E5B36EF79E3D0AF0935DC8BBFB15D576D73FEE | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\data\kaccclear.dat | binary | |
MD5:674B0121E5F07799502A737728965B0A | SHA256:6BA7D0047729E9026DCDDE29A5EE16A1EA12D44946D7970EEF6EE1E8FF1E5E22 | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ktrashscan.dll | executable | |
MD5:9C9EDEBC6F3CA59469B4A19AA381FE72 | SHA256:7A9E36F560B7645A34FB042F9B40BB2ECEC60734EAD69E556B427C458648C879 | |||
2144 | 金山清理.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\microsoft.vc80.crt.manifest | xml | |
MD5:89CA53AE1155058A5F93234B13B17C7D | SHA256:D736C413543B6B168DC59769840AE95B5726D428F69A23AF1659DEA8FB4236C8 | |||
2620 | kcleaner.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\data\softicon\softicon48\60000043.png | image | |
MD5:7102CD4D6BBB01E484C77EDC17070EA1 | SHA256:6637A82D9D6859467BCD607D228DCE5B1D6449BDC37E08D60E84206E93D24FB9 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2620 | kcleaner.exe | 103.104.170.24:80 | dl.ijinshan.com | — | — | unknown |
2620 | kcleaner.exe | 103.104.170.25:80 | dl.ijinshan.com | — | — | unknown |
Domain | IP | Reputation |
---|---|---|
dl.ijinshan.com |
| whitelisted |
dns.msftncsi.com |
| shared |