e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609

General

Target

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Size

1.6MB
MD5

be0f8e6d545ddc8c2cfedb76ad965a19
SHA1

37fbc96b83ad23e9d8102351c18944e58450f927
SHA256

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609
SHA512

cb7619971f232c4976b8cdd8cb3116a981e1b5433a87fffdda74880e6b29f9d7fc32bc1f30bb425ee000af6a48cc982ede2e693976631cd4fc989daa048c3589

Score

10^/10

bootkit discovery evasion persistence suricata trojan upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 35 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
File created	C:\Windows\system32\drivers\kisnetm_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File opened for modification	C:\Windows\system32\drivers\kavbootc.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetflt64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetflt.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksapi64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kusbquery.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetflt64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kdhacker64_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kiscore.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kusbquery64.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kavbootc_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\kisknl64_arm.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	upx

Loads dropped DLL 2 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description ioc process

File opened for modification \??\PhysicalDrive0 e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Drops file in Program Files directory 64 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftpurifyengine.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2roundiconthemecmnicon.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\skin_space.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_calendar_subicon.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\fnsign.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvbb00d.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-debug-l1-1-0.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\5.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\zofe0030.fsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetm_ev.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksetc\ksetc_2.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-crt-math-l1-1-0.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speeduppanel\80007.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kscrcap_res\arrow\circle_arrow.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\depopex.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksetc\ksetc.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kvipcore.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kslm.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsu.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\ksdepopex.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speeduppanel\80011.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\pps_rcmd_subicon.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_qiangpiao_sub1.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxe2tray.exe.bak	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztve4005.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\defendmon.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\whiteurl.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksd.nlb	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\img_data_revert.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\config.ini	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\qt5svg.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\plugins\styles\qwindowsvistastyle.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kslaunch.exe	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\defbrowser\klbromgr.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speeduppanel\80001.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speeduppanel\80009.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kscrcap_res\arrow\thin_arrow.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sqlite.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ks3rdhmpg32.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvdb00b.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvf8002.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-processthreads-l1-1-1.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kusbquery.sys	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\false.ksg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\wifi_subicon.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksm3rdex.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\safe_business.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfb0005.fsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kswitchlist.ini	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztff6002.fsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ks2launch.exe.bak	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\keasyipcnmt.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_wifibaby.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\reinstall_duba.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswebshield.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_olympic_2016.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-synch-l1-2-0.dll	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\se_redirect_ex2.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvd0040.vsg	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\crb.dat	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kintercept.zip	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_guomei_online.png	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Modifies registry class 64 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_32bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "ylgkjcv8k29l4bs2tq5boxsk8vwl"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_186_35_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_32bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\ duba_64bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "64F01C07ED464F2164CCB9F52008336B"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\ duba_64bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_64bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers\ duba_64bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_32bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\Shellex\ContextMenuHandlers\ duba_64bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktword	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "08e73c5d6009bbf4de6692a867b67d83"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_32bit	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

description	pid	process
Token: SeDebugPrivilege	4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Token: SeDebugPrivilege	4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Token: SeRestorePrivilege	4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
Token: SeBackupPrivilege	4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

pid	process
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
4828	e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe

C:\Users\Admin\AppData\Local\Temp\e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe
"C:\Users\Admin\AppData\Local\Temp\e787844eb32181370dd1eea2c0340a7bbdf1b45ca84119ab2835419b2d435609.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

3

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
Filesize
2.9MB

MD5
0a8ed28246ab6e4a7c8996ffa911addf

SHA1
37cc881422d778d6089047a61e37ca1551409819

SHA256
0dd924ccb8bbe0115a521576062333118f85eb45dc8d9b2ae3b16d04f5bb6b75

SHA512
5f3feec601f8b075af7fc082104ba781ec7b650093ba9a6f571a1ab6d65133ba6ebfc877adce51c48003f6cbcb954b0b423fafeb8c3ed76a4d0ef6f744b7a0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll
Filesize
92.1MB

MD5
0d95bc52e08ff367d76f03fa00c15e0e

SHA1
9ca670e9e33ae58f74afcf5fa0eec81a317a6e81

SHA256
70b96250bfceb83b811dcfa7446161b17f668468695dea8a1ec58f62df421e17

SHA512
71b79757889ecf19d5cd8e20b13c2770077ba99d4ee3fa0deeb93856f8f7c09ed0d33e34190351d838e39e4652592d3e265bfdd799d09e0001836086109aa8cf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads