4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Size

1.6MB
MD5

58cf8209f97252b8126cf3ba13f6cb92
SHA1

954fddb2a43eef8f0a4f16d02e8599b2b2ea81fe
SHA256

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe
SHA512

f6cb4a9aee03420c085b6e13fcdca5512512dc8cd7ceae4429e4a5140b6ba673b80f496b92c296a39879386e758a4ae27a0bf1a7462e2f3202f2cf64221d2e06

Score

10^/10

bootkit discovery evasion persistence suricata trojan upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 16 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	ioc	process
File created	C:\Windows\system32\drivers\kisknl64.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\ksapi.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisknl64_ev.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisknl_ev.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisnetm_ev.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisknl.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File opened for modification	C:\Windows\system32\drivers\kisknl.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\kisnetm64_ev.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\ksapi64_ev.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\ksapi_ev.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Executes dropped EXE 3 IoCs

Processes:

KDbCIHelper.exekavlog2.exeksoftmgr.exe

pid process

1448 KDbCIHelper.exe
492 kavlog2.exe
3708 ksoftmgr.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1448	KDbCIHelper.exe
492	kavlog2.exe
3708	ksoftmgr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	upx

Loads dropped DLL 7 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exekavlog2.exeksoftmgr.exe

pid	process
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
492	kavlog2.exe
492	kavlog2.exe
3708	ksoftmgr.exe
3708	ksoftmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description ioc process

File opened for modification \??\PhysicalDrive0 4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Drops file in System32 directory 1 IoCs

Processes:

kavlog2.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\KAVEventLog.EVT kavlog2.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\KAVEventLog.EVT	kavlog2.exe

Drops file in Program Files directory 64 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\winesystem001.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.xml	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kcommon.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksedset.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_roundicon_avdr.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\k2wsprotect64.exe.bak	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\defendmon.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\kfxspring_skin_img.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2roundiconthemecmnbtn.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksrengurl.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\scriptconfig.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcmppinvoker.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetm64.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_kcleaner_deep_clean.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kismain.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopcenter.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\k2swebshield.dll.bak	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\wifi_icon.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\newyear.dubatheme	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebase.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_taobao1212_test1_main.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kguidcfg.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\spdupcfg.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kscanner.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoft.xml	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseta.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\whiteurl.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_gamebox1.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\1.jpg	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\search.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_roundicon_qiangpiao.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kaccclear.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_bobo_new.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_taobao1212_test1_sub3.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\xianshifengqiang-taobao.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksesscan.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\k2wsui64.dll.bak	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2roundiconcheetan.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kadblock.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sqlite.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\pps_rcmd_mainicon.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\cloudctrl.config	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksscfgx.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\uninstallcfg.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdh.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi_ev.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdgui2opt.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\cleanlist.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\lpolicy.dat	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\gamemode\floatwingamemode.ini	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rule.krf	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_panda_notes.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_realtimeopt_gameicon_bird.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\khackfix.kid	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_gamepop_icon.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_juhuasuan_3_8.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksskrpr.sys	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\phonehelper_subicon.png	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\web\kingsoft_duba.htm	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 44 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "b2336c08f6758b591c7a71bc5e6602c0"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_0_0_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "C7FEC3C99237748D9D59D587B860B9CA"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "95pbidl8um22ebmdl99x7iikescy"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

pid	process
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	pid	process
Token: SeDebugPrivilege	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
Token: SeDebugPrivilege	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

pid	process
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

pid	process
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ksoftmgr.exe

pid process

3708 ksoftmgr.exe
3708 ksoftmgr.exe

pid	process
3708	ksoftmgr.exe
3708	ksoftmgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

description	pid	process	target process
PID 4292 wrote to memory of 1448	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	KDbCIHelper.exe
PID 4292 wrote to memory of 1448	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	KDbCIHelper.exe
PID 4292 wrote to memory of 1448	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	KDbCIHelper.exe
PID 4292 wrote to memory of 492	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	kavlog2.exe
PID 4292 wrote to memory of 492	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	kavlog2.exe
PID 4292 wrote to memory of 492	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	kavlog2.exe
PID 4292 wrote to memory of 3708	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	ksoftmgr.exe
PID 4292 wrote to memory of 3708	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	ksoftmgr.exe
PID 4292 wrote to memory of 3708	4292	4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe	ksoftmgr.exe

C:\Users\Admin\AppData\Local\Temp\4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
"C:\Users\Admin\AppData\Local\Temp\4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe
"C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe" -release
2⤵
- Executes dropped EXE
PID:1448

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:492

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe" -preload
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3708

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
2⤵
PID:2364

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
2⤵
PID:2604

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe" /autorun /std /skipcs3
2⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
522KB

MD5
c7256e3f7702a3848f0259b3cbaf712d

SHA1
d268660245346fc92c2832a47e84ae03e6f9ecda

SHA256
009d63fbb8f3ab13c0a1a6559c83a493dffa1fbd63c1f243d0ca3f188e489bac

SHA512
e9a8e458c82aab1b71618d2391df7a60809d0a711f35e7b45609c3335ab39ec13ff1ec67043781210503ac0f7cd5a836c96d422405b7e3b073ec19463eb2f91f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
Filesize
181KB

MD5
afe49a8d1f66320acd18cdf54ae11423

SHA1
44f2cd0a68c659f90d371b54deae0de41ddde98d

SHA256
54b370fc596fe4bc32d4b71d371e2c077dd040f520e13d6722a254c95ae98d1a

SHA512
f0a5e0f08af38d92d3adbae80c19be6e51e739f674a39d4a1aa9e460d8cfedcc9a2373575c83055b26688bf9196560d71cf9d8b5dee595a82b8f892e80a788dc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
Filesize
181KB

MD5
afe49a8d1f66320acd18cdf54ae11423

SHA1
44f2cd0a68c659f90d371b54deae0de41ddde98d

SHA256
54b370fc596fe4bc32d4b71d371e2c077dd040f520e13d6722a254c95ae98d1a

SHA512
f0a5e0f08af38d92d3adbae80c19be6e51e739f674a39d4a1aa9e460d8cfedcc9a2373575c83055b26688bf9196560d71cf9d8b5dee595a82b8f892e80a788dc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll
Filesize
128KB

MD5
5b1beaaf0d48c09a7f71bf63f0cf2ed3

SHA1
deb98b698eadb30e6b9040ab742ae7dcaac7b337

SHA256
805ca3502ac8457a024628a6cd8341d27442d73dc2048ed6ec6f1f254a599511

SHA512
e6f52e296c9b02cb77bf6479463da681c55fcaadf6f9a99645f9f5f4a53cb5ad08ca1caf6c9916f370f239907394497866ffa4529fff51c658f2de791b3f7ca6

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe
Filesize
1024KB

MD5
c9a917f89010f31093271ebdb6fffd14

SHA1
ee801bd6d7e67c657d315f57d5e87cc3b6f1870a

SHA256
b8c7734cf5d6d89442cd1eb28faade6205d1cf028b266ffd13111eb81a1773cd

SHA512
d4b9f86ee469a4f2b8017d2bf6c012034da1d31dddc4ad26ccf1cdfc7d0a44576d44605c0807071f394b74dccf8258fcb4c30be4ab0d043bdcd24677eababa45

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll
Filesize
213KB

MD5
1dd2c3ecae68a35cde2d586aa24e0f25

SHA1
600f6a6af5b43a00c5ddd040a79afbeadba053cf

SHA256
905fbcb0f93015941e884bd37b5d196788bc4422919fead4be12fbfd42fb5440

SHA512
237f5623042dfab544458847cebe1a5f95bf83165d6155086378976b1082d7709b0fe8379ba15fff8ea39664ffe67546719983d27ce3e82cec6ac667e0f78145

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll
Filesize
193KB

MD5
2e67447a0b7f3192d09290503b96b738

SHA1
fccdb3ed95f71304e40b54c38c0d1a44b083c2e3

SHA256
7441b31adbe9c1cdb5af51569b7b32218def2d691f7fad07d1e6be60a3a48041

SHA512
1381828c17b1448b8321c2be0509e90742a9235063183bea850bbf940c133eda1b4e67a382750de44dc5a8afe28de05e2047c13ba21c286f9c29e184b2b58b9e

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
Filesize
3.6MB

MD5
ec97eb619fd07ba0aee6783eac3bcb47

SHA1
7f5788269192c59ad8cda179cbf3e5a4cc490972

SHA256
699605488bf15f37a167d105f8550c43225ac309bc1b4321e42172e32f70fb42

SHA512
e4f923235474b8df81ad407bc9a4e21e6ac6aaa0ae8f3fb3de13f4eb080d60d566035b52175214d416001caf7cf5c1484111799c43dea900aea9df3a87d4f272

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe
Filesize
270KB

MD5
6a0416c9d15d5bbfa03c85a96eadad90

SHA1
ec383f7104112d92f95c31d0e365db6dd2cd4462

SHA256
72e1f20807ed445c506d264d9da2e3687a8b2f4b503f352f1d363d7a5dce73ea

SHA512
dfbca32f535b9a39576c653ff731ce5bff087d625dfb2e4498aade783ed1faf9784dd06266a582d4e9d8218b13cf5b9bb4057e4cc3dace05646e1a26d865f3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe
Filesize
270KB

MD5
6a0416c9d15d5bbfa03c85a96eadad90

SHA1
ec383f7104112d92f95c31d0e365db6dd2cd4462

SHA256
72e1f20807ed445c506d264d9da2e3687a8b2f4b503f352f1d363d7a5dce73ea

SHA512
dfbca32f535b9a39576c653ff731ce5bff087d625dfb2e4498aade783ed1faf9784dd06266a582d4e9d8218b13cf5b9bb4057e4cc3dace05646e1a26d865f3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll
Filesize
36.6MB

MD5
cf20e3f69ae844fd027ce759f0aa560c

SHA1
2d5079bf74c4cdc226c605a9e82bd803ff577648

SHA256
f9cce6e4026f7be00fbf665bdc9e433baf0932ddf8bf660bcacbc61a4b44748a

SHA512
49dae81fe0b2a47c548674ec2dea8c4a9a956308daf6ee6a7448ec373ca07094e0d04cd9dc88c527778d91aa8b13ecd6045eddf60d79a8c061f9530ac1b70015

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCP80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCR80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
522KB

MD5
c7256e3f7702a3848f0259b3cbaf712d

SHA1
d268660245346fc92c2832a47e84ae03e6f9ecda

SHA256
009d63fbb8f3ab13c0a1a6559c83a493dffa1fbd63c1f243d0ca3f188e489bac

SHA512
e9a8e458c82aab1b71618d2391df7a60809d0a711f35e7b45609c3335ab39ec13ff1ec67043781210503ac0f7cd5a836c96d422405b7e3b073ec19463eb2f91f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll
Filesize
896KB

MD5
6a0ca4e7b0eb75306c88674801591ec7

SHA1
7b4c504b350611b5ad3d3f3e119050c492cb27e2

SHA256
1f675df608676fe4fc3a976293d6ed214d6f3466db13bea00b261fd7385af66b

SHA512
af6d1bd26db8df78148d28b86a24fd0a9f3e7ab990dc4d5ea19ece76843d1e582162fde6bb708f875a770d224b8d4c3712426aa49ad7efc3265456ee01d6edbd

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
Filesize
3.6MB

MD5
ec97eb619fd07ba0aee6783eac3bcb47

SHA1
7f5788269192c59ad8cda179cbf3e5a4cc490972

SHA256
699605488bf15f37a167d105f8550c43225ac309bc1b4321e42172e32f70fb42

SHA512
e4f923235474b8df81ad407bc9a4e21e6ac6aaa0ae8f3fb3de13f4eb080d60d566035b52175214d416001caf7cf5c1484111799c43dea900aea9df3a87d4f272

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
Filesize
318KB

MD5
7dacf31d3906c42de3529bba7f4f43cb

SHA1
6dccd65e7a19d5896fb33c12cbf3e54f01e992c3

SHA256
ae516a5ec2e01334edb329c4268186a8810f31cbdcb8eda9b8f4a3a393816bb9

SHA512
f05525c372a18fdca8439f79920ce1701d60862b576efd138f0427c7b32ae48aa466cceccc17d0f445ece1e50fc75a5848ad46795370d3bcfc7242d56c9c8da4

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kctrl.dat
Filesize
3KB

MD5
887ed679698117d421b8ac9d636db34e

SHA1
3d39c3f6cca90b385b05bb55e9886da4e216095d

SHA256
63db532c2d893da092fd4cd495c1fffda792c9034f1b5d2996116c584acd702b

SHA512
30aef737b4efbaa3bee0b93b693fdbdb9b4a30468ade5f050edfccb950a897e686385546cda78c3e992073fb4ca34ecfb37435ed99130c52f52035bdb1f4ee38

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx
Filesize
194KB

MD5
3850d6e5f931b015c8cf1ada958db446

SHA1
c7e1059efd4360c14fe8b4ef33ebc1071fccbec3

SHA256
53baa280450af2d1a02fd7a484d3f06e0f46cce6794af194e10f2998fb6693e8

SHA512
51a28ccd6fb44fb902355ada39886a8fee9161d221e5338a063771f755d4f07c9cae954f11e5bf4bf4939a020c05b1319eb48e54f789b3ca472b3bfbb504f20f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kismain.ini
Filesize
82B

MD5
e438ffc734ea91d4c135642c1d13a2f4

SHA1
e82c90e348460f9a289ad9a1ba283facbc87ba2b

SHA256
628094f4aaa600d66f9f9d9440f3802636788b53cc9a628eeea5b98f4964246f

SHA512
c3bb1f7481030c45356841f801697520aad2f75ac329b20c0ac4e9bd8f4d1ec5b96dbc2c492a15746730403f5b25440762b14591ebec1978d7babe398e26168b

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\uplive.svr
Filesize
9KB

MD5
0ff4535960c3d5864b2341ae71d4e5c1

SHA1
8a48f6390dba08aec7879ba27e0fd11f7e215a5d

SHA256
2f5696ebc343b65b284a2e3d37d1bc91c12dc09d42145c86e4ec795f9972d8cf

SHA512
d1fcfd4cc6ff094cd0be1f7270ceb11bcd648d763504fc80c3908655fd0bad659e9082e3bd2686e3f9f983544bf0a748bd152028ee5bd31d067af7d354a7cfb0

Download Submit
memory/492-141-0x0000000000000000-mapping.dmp

Download
memory/1448-134-0x0000000000000000-mapping.dmp

Download
memory/2364-211-0x0000000002B60000-0x0000000003120000-memory.dmp

Filesize
5.8MB

Download
memory/2364-154-0x0000000000000000-mapping.dmp

Download
memory/2604-189-0x0000000000510000-0x0000000000547000-memory.dmp

Filesize
220KB

Download
memory/2604-200-0x0000000000690000-0x00000000006BF000-memory.dmp

Filesize
188KB

Download
memory/2604-215-0x0000000002220000-0x0000000002291000-memory.dmp

Filesize
452KB

Download
memory/3708-143-0x0000000000000000-mapping.dmp

Download
memory/4292-139-0x0000000000AB0000-0x0000000000ADC000-memory.dmp

Filesize
176KB

Download