e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609

General

Target

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Size

1.6MB
MD5

be0f8e6d545ddc8c2cfedb76ad965a19
SHA1

37fbc96b83ad23e9d8102351c18944e58450f927
SHA256

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609
SHA512

cb7619971f232c4976b8cdd8cb3116a981e1b5433a87fffdda74880e6b29f9d7fc32bc1f30bb425ee000af6a48cc982ede2e693976631cd4fc989daa048c3589

Score

10^/10

bootkit discovery evasion persistence suricata trojan upx

Malware Config

Signatures

suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 35 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
File created	C:\Windows\system32\drivers\kavbootc_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetflt64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File opened for modification	C:\Windows\system32\drivers\kavbootc.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetflt64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kiscore.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetflt.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kusbquery.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kusbquery64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	upx

Loads dropped DLL 5 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description ioc process

File opened for modification \??\PhysicalDrive0 e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Drops file in Program Files directory 64 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvd7009.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kdhacker64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kstools\showctrl.xml	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaextend.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcleaner.exe	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krcmdutils.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\clearplugin\plugin.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\space.dubatheme	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktasktimerplugin.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\wendujishrink_skin_img.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kspupwnd.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_qq_browser.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kdock.ini	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\wc.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\knotifyinvoker.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\kfxspring_skin_imgex.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_baidushurufa.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksetc\ksetc.xml	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\jijian_skin_img.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_realtimeopt_orange_btn.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\game.xml	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\se_redirect_ex2.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kstools\toolsfilepath.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\ksdesm.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kstools\kstools_banner3.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kperfcfg.xml	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-file-l2-1-0.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-libraryloader-l1-1-0.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speeduppanel\80004.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvb7001.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kscrcap_res\stamp\turn_down_big.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\filelist.ini	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\plugins\imageformats\qjpeg.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\qt5xml.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztff3006.fsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-winrt-error-l1-1-1.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpprcmd.ini	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\spt\d3w8w8q2h7e9t6v4r8g7.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztv04001.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kproc_adblock.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\ksdeutil.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kscrcap_res\size\more_large_n.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\weixin_rcmd_imgb.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\decfg.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kscrcap_res\arrow\dotted_line_arrow.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksetupwiz.exe	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_taobao1212_test1_sub3.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\fnsign.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\zema0007.psg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxecenter.exe	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kbootopt.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\scancfg.ini	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvd0040.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\5.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\screen_capture_taskbar_ico.ico	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisnetflt64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-crt-environment-l1-1-0.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\img_data_revert.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kanthack.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\qt5network.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\qq_pcmgr_rcmd_subicon.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Modifies registry class 26 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "6299a0257c053cb0c0b4a8acff98bde0"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_186_35_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "8FF7484A72DD7A6ABF9007377C6A0C9B"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "dzg8vessgei49hjjw4bhqczgsc72"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	pid	process
Token: SeDebugPrivilege	1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Token: SeDebugPrivilege	1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
1668	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

C:\Users\Admin\AppData\Local\Temp\e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
"C:\Users\Admin\AppData\Local\Temp\e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sys
Filesize
49KB

MD5
44a332318c9a823b85d1f5257dcc7ad9

SHA1
80a6e8cbd957f5280cdc69d4b1a441aba6bc6bf6

SHA256
ca615ede1d1356ac566189d4ba553f77ea074c4acb53d60b6f3144c8bfadde0c

SHA512
50b733732188c4ec42684fde06e9fc266d41c51c0009935c2fa9a301d80256122e9cab08e5b765e9270aa96138870c0881548cabd8891e42baadcbe416194c20

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sys
Filesize
49KB

MD5
44a332318c9a823b85d1f5257dcc7ad9

SHA1
80a6e8cbd957f5280cdc69d4b1a441aba6bc6bf6

SHA256
ca615ede1d1356ac566189d4ba553f77ea074c4acb53d60b6f3144c8bfadde0c

SHA512
50b733732188c4ec42684fde06e9fc266d41c51c0009935c2fa9a301d80256122e9cab08e5b765e9270aa96138870c0881548cabd8891e42baadcbe416194c20

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
Filesize
243KB

MD5
a6da3b519c6b7e3e7f8bd8e03dd19395

SHA1
e1ee69084db5c7b4ab9da6d035ab4439574218ff

SHA256
1940eddc40e5511f955f4f093d272b57ace997a6d95e02346a9772b4f2dbfa03

SHA512
a3430c964dd50acbb8572789d7a4fba3ad74dba4e8c8dcac139483e51ddf7a1fef3c8997bd68349c53d37b12fc9b0156c8d605fc1de73cbd33221e3589d6bad6

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
Filesize
243KB

MD5
a6da3b519c6b7e3e7f8bd8e03dd19395

SHA1
e1ee69084db5c7b4ab9da6d035ab4439574218ff

SHA256
1940eddc40e5511f955f4f093d272b57ace997a6d95e02346a9772b4f2dbfa03

SHA512
a3430c964dd50acbb8572789d7a4fba3ad74dba4e8c8dcac139483e51ddf7a1fef3c8997bd68349c53d37b12fc9b0156c8d605fc1de73cbd33221e3589d6bad6

Download Submit
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll
Filesize
92.1MB

MD5
0d95bc52e08ff367d76f03fa00c15e0e

SHA1
9ca670e9e33ae58f74afcf5fa0eec81a317a6e81

SHA256
70b96250bfceb83b811dcfa7446161b17f668468695dea8a1ec58f62df421e17

SHA512
71b79757889ecf19d5cd8e20b13c2770077ba99d4ee3fa0deeb93856f8f7c09ed0d33e34190351d838e39e4652592d3e265bfdd799d09e0001836086109aa8cf

Download Submit
memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads