b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94

Analysis

max time kernel
139s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
Size

1.3MB
MD5

6abbb18422b16c891c98960921b73710
SHA1

1babe32de699707abf119cc2d6575b7749adaa7e
SHA256

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94
SHA512

a9953bee67c15162cc02177a4a41b2885510d085ac152c647703466b9fae97ec398b116c4fb28bafb2e479eefee67360412ce3cb8425eff6f9eaa6b945aa1b6b
SSDEEP

24576:FtiDDKZVA2as75dOrCKZ7EDr5b5TyY1VGPSNg/ne5jEXmSZ2rFt0zkocp0:Fti3KZq2T1TKZm59TyY1sPisebSZUtmx

Score

9^/10

bootkit discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\nsRandom.dll	acprotect
behavioral1/memory/1896-60-0x00000000007A0000-0x00000000007B2000-memory.dmp	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 11 IoCs

Processes:

duba_3_279.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\bc.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\ksapi.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	duba_3_279.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\bc.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\kisknl.sys	duba_3_279.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	duba_3_279.exe

Executes dropped EXE 8 IoCs

Processes:

duba_3_279.exeOfficeAssist.0702.80.1159.exekavlog2.exekxetray.exekxescore.exekislive.exekxescore.exeOfficeAssist.0702.80.1159.exe

pid	process
1616	duba_3_279.exe
1232	OfficeAssist.0702.80.1159.exe
1952	kavlog2.exe
916	kxetray.exe
1956	kxescore.exe
1824	kislive.exe
1072	kxescore.exe
572	OfficeAssist.0702.80.1159.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

duba_3_279.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_3_279.exe

Sets file execution options in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

duba_3_279.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISMAIN.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRECYCLE.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINST.EXE	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISADDIN.EXE	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSCAN.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISCALL.EXE	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLIVE.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KXESCORE.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCOMREGSVRV8.EXE	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVLOG2.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSETUPWIZ.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KDRVMGR.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KXETRAY.EXE	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe	duba_3_279.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSIGNSP.EXE	duba_3_279.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\nsRandom.dll	upx
behavioral1/memory/1896-60-0x00000000007A0000-0x00000000007B2000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\duba_3_279.exe	upx
C:\Users\Admin\AppData\Local\Temp\duba_3_279.exe	upx
behavioral1/memory/1616-122-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\duba_3_279.exe	upx
behavioral1/memory/1616-135-0x0000000000400000-0x0000000000520000-memory.dmp	upx

Loads dropped DLL 64 IoCs

Processes:

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exeduba_3_279.exeOfficeAssist.0702.80.1159.exekavlog2.exekxetray.exekxescore.exe

pid	process
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1232	OfficeAssist.0702.80.1159.exe
1232	OfficeAssist.0702.80.1159.exe
1952	kavlog2.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1952	kavlog2.exe
916	kxetray.exe
916	kxetray.exe
916	kxetray.exe
1616	duba_3_279.exe
916	kxetray.exe
1616	duba_3_279.exe
1616	duba_3_279.exe
1072	kxescore.exe
1072	kxescore.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

duba_3_279.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	duba_3_279.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

duba_3_279.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_3_279.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_3_279.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

duba_3_279.exe

description ioc process

File opened for modification \??\PhysicalDrive0 duba_3_279.exe
Drops file in System32 directory 1 IoCs

Processes:

kavlog2.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\KAVEventLog.EVT kavlog2.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	duba_3_279.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\KAVEventLog.EVT	kavlog2.exe

Drops file in Program Files directory 64 IoCs

Processes:

duba_3_279.exekxetray.exekislive.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxeksgpid.kid	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sp3a.nlb	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kshmpgext.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.log	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe.bak	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\reinstall_duba.png	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speedtest.xml	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.ini	duba_3_279.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\microsoft.vc80.mfc.manifest	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksscfgx.ini	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\ksdecs.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwssp.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sqlite.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\netbank.dat	duba_3_279.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\bc.sys	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\bro.cfg	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdh.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwifitool.kid	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kfloatmain.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ks3rdhmpg64.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kisfdpro64.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpassport.dll	duba_3_279.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.log	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl64.sys	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\khackfix.kid	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krcmddb.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseutil.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsui.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\1.jpg	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaearcha.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kvmpid2.kid	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khandler.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\duba123ienew.ico	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\gamesdb_dc_mini.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\uni0nst.exe	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi64.sys	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksskrpr.sys	duba_3_279.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatwinsetting.ini	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\web\kingsoft_weibo.htm	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khistory.ini	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksfilter.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetmxp.sys	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\installdk.ini	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kplc.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\upcfg.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswebshield.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\netmodeconfig.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksscore.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\vinfo.ini	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\se.dat	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetm64.sys	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.log	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\duba123ie.ico	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\knetworkpanel.dll	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krecycle.exe	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\scan_virus.png	duba_3_279.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\web\kingsoft_bbs.htm	duba_3_279.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B498041-42E0-11ED-8B55-6651945CA213} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 40 IoCs

Processes:

duba_3_279.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "a5da960af2e09cf9d67400007d912b3a"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "2fhx5tt9ellqln2w8p4uvkluvwba"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit	duba_3_279.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit	duba_3_279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	duba_3_279.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

duba_3_279.exeOfficeAssist.0702.80.1159.exeOfficeAssist.0702.80.1159.exe

pid	process
1616	duba_3_279.exe
1616	duba_3_279.exe
1232	OfficeAssist.0702.80.1159.exe
1232	OfficeAssist.0702.80.1159.exe
1232	OfficeAssist.0702.80.1159.exe
572	OfficeAssist.0702.80.1159.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

duba_3_279.exekislive.exe

description pid process

Token: SeDebugPrivilege 1616 duba_3_279.exe
Token: SeDebugPrivilege 1824 kislive.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1440 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1440 iexplore.exe
1440 iexplore.exe
1496 IEXPLORE.EXE
1496 IEXPLORE.EXE
1496 IEXPLORE.EXE
1496 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1616	duba_3_279.exe
Token: SeDebugPrivilege	1824	kislive.exe

pid	process
1440	iexplore.exe

pid	process
1440	iexplore.exe
1440	iexplore.exe
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe

description	pid	process	target process
PID 1896 wrote to memory of 1156	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1156	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1156	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1156	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1504	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1504	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1504	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1504	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 960	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 960	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 960	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 960	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1908	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1908	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1908	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1908	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 828	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 828	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 828	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 828	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1628	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1628	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1628	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1628	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1836	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1836	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1836	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1836	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1668	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1668	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1668	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1668	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 276	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 276	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 276	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 276	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1616	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1616	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1616	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1616	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1772	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1772	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1772	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1772	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 684	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 684	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 684	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 684	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 856	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 856	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 856	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 856	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 688	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 688	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 688	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 688	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1160	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1160	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1160	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1160	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 1896 wrote to memory of 1440	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	iexplore.exe
PID 1896 wrote to memory of 1440	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	iexplore.exe
PID 1896 wrote to memory of 1440	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	iexplore.exe
PID 1896 wrote to memory of 1440	1896	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
"C:\Users\Admin\AppData\Local\Temp\b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:1160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://120.55.149.181/Yjk5OTQ0ZGM4N2NmOWEyMmNjOTU5YjFhNGQzNGYzYjRkMTE5OGE5NTMyYTJhYzZlZDQzOTViMTcxOTBkOGE5NC5leGU=/40.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1440 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Users\Admin\AppData\Local\Temp\duba_3_279.exe
duba_3_279.exe /S
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1952

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:916

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
3⤵
- Executes dropped EXE
PID:1956

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe" /autorun /std /skipcs3
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe
OfficeAssist.0702.80.1159.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\ProgramData\kingsoft\20221003_55943\OfficeAssist.0702.80.1159.exe
"C:\ProgramData\kingsoft\20221003_55943\OfficeAssist.0702.80.1159.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:572

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
511KB

MD5
dd1443f153f7cf554addb404aff623f8

SHA1
893f24f463d03b3b19e952b85ae06daffcc466d1

SHA256
b943b7e8cdb2decca1eaf2db1683a670fc72024be8eb95f9308adec8abc50887

SHA512
6fc1062f258684a20fce9fff8cf0ee88218aca1bb2e65c4a07f6ac7624fc1536e267538ec35f37d2356eec37258f29c13203d55a6e477d1231a5f5e8e6cd19bd

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe
Filesize
3.4MB

MD5
2073b01c03cd15b2502aac1dfb22a813

SHA1
b7feb0b40f5e58fd9e0e14f61747d19182c13d87

SHA256
75cb929453116220b642f3a84c07ecf03678189df9a6e04b0e3f184d2ad184e8

SHA512
ceaee34964523ebbec797f42eca2f3f76ac5c742baab858f626f4adef1eb9d94d412c7130a41a7c12d5015df4ce10137bd2426e99a7fb62e3de518f45612857b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe
Filesize
3.4MB

MD5
2073b01c03cd15b2502aac1dfb22a813

SHA1
b7feb0b40f5e58fd9e0e14f61747d19182c13d87

SHA256
75cb929453116220b642f3a84c07ecf03678189df9a6e04b0e3f184d2ad184e8

SHA512
ceaee34964523ebbec797f42eca2f3f76ac5c742baab858f626f4adef1eb9d94d412c7130a41a7c12d5015df4ce10137bd2426e99a7fb62e3de518f45612857b

Download Submit
C:\Users\Admin\AppData\Local\Temp\duba_3_279.exe
Filesize
17.3MB

MD5
61d05e0ec49e0113c9b179a75f8721b0

SHA1
1b4a94a327df622e38218cccc036044fe91c5e99

SHA256
cdab7deb216875304970d76d55086a277cac500ad4d760c544d38b7b70fb7222

SHA512
f9215882254cd956802e2bdfb1acd7be0747456ff65bb1acd37d9c89bf9a1a4638ba7f4ac9c2786ef883446417e4b856fa93189b608e8b55bf5f0f892026cdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\duba_3_279.exe
Filesize
17.3MB

MD5
61d05e0ec49e0113c9b179a75f8721b0

SHA1
1b4a94a327df622e38218cccc036044fe91c5e99

SHA256
cdab7deb216875304970d76d55086a277cac500ad4d760c544d38b7b70fb7222

SHA512
f9215882254cd956802e2bdfb1acd7be0747456ff65bb1acd37d9c89bf9a1a4638ba7f4ac9c2786ef883446417e4b856fa93189b608e8b55bf5f0f892026cdca

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCP80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCR80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
511KB

MD5
dd1443f153f7cf554addb404aff623f8

SHA1
893f24f463d03b3b19e952b85ae06daffcc466d1

SHA256
b943b7e8cdb2decca1eaf2db1683a670fc72024be8eb95f9308adec8abc50887

SHA512
6fc1062f258684a20fce9fff8cf0ee88218aca1bb2e65c4a07f6ac7624fc1536e267538ec35f37d2356eec37258f29c13203d55a6e477d1231a5f5e8e6cd19bd

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
511KB

MD5
dd1443f153f7cf554addb404aff623f8

SHA1
893f24f463d03b3b19e952b85ae06daffcc466d1

SHA256
b943b7e8cdb2decca1eaf2db1683a670fc72024be8eb95f9308adec8abc50887

SHA512
6fc1062f258684a20fce9fff8cf0ee88218aca1bb2e65c4a07f6ac7624fc1536e267538ec35f37d2356eec37258f29c13203d55a6e477d1231a5f5e8e6cd19bd

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
Filesize
69KB

MD5
c8ed4b3af03d82cc3fe2f8c42c22326c

SHA1
78a2e216262b8f1b35e408685cf20f2fa4685d8f

SHA256
1c73f57c31845d3719644f815ca9df1efb18cfc3dfc2dc1b4afddb71261afb31

SHA512
34e6cf09afa68875be24005f90be35bb7c490ac9d2f63befadfdd1902136c383ee903442c9df572e2ccd0b7ea1be10857401c76c5b6923c28f8eaecab5b3c45c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe
Filesize
1.1MB

MD5
04eeb71a179940aca8073ddaa5bf4350

SHA1
02f7c99c4a2784b2db466b20c6e9c02cccc733b6

SHA256
acd8f6de1355fa40d4703149eeae1887c3f4ee0474f65c7aa257db38924e1385

SHA512
049a164a916863f037f88288faab7ce6f92d555fac4e819d6b79ed787c583f0a0d821ef173440c481f4d2a39ee1547437c6471e2e2b37cf53ad6701ede452f21

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
Filesize
337KB

MD5
bb1ce6771f3bdfa3db16106e6802cf45

SHA1
9303e90c1782df8dd383ae75235e400e4a75df25

SHA256
b30440a7fe3f2cef818e9769df7aea5af5bd150058630299c34836f0eeec0270

SHA512
d412665027d7ad1b110a9e62b8ef2d1ab500b559865bb2cfa6584347993bb1e5634e442b158b3a8cbbf2df62d5ccd81714ac3e7f97246aca7b700991147893c2

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
Filesize
337KB

MD5
bb1ce6771f3bdfa3db16106e6802cf45

SHA1
9303e90c1782df8dd383ae75235e400e4a75df25

SHA256
b30440a7fe3f2cef818e9769df7aea5af5bd150058630299c34836f0eeec0270

SHA512
d412665027d7ad1b110a9e62b8ef2d1ab500b559865bb2cfa6584347993bb1e5634e442b158b3a8cbbf2df62d5ccd81714ac3e7f97246aca7b700991147893c2

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\krecycle.exe
Filesize
495KB

MD5
c423991edd1e101d7c1aa7f2fe5d6670

SHA1
1f19d1c7e6f9189b2cdc875cc4b5c9afcf976e51

SHA256
f6cf76ca159237d0661b94d49d50657363db2df2f1b15188a60ef207c09a9ca4

SHA512
73640c9f8342ba3d51649726e85bad9510860ca836f8de21df27d9163ae0a6092a66fe8b10c3870f1ec3084a5ea1cb2917af50572b865a15d8faa8306fb9df9f

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
Filesize
259KB

MD5
1636dd864151388451acb8b2fc1fccb8

SHA1
06e3ac51140a1f7c35f79f8c69e997919838bd01

SHA256
859bdfd8e8f067c3d2328e3cc910d906d07298fd2a5ffc9e89f22df61c499126

SHA512
694911e645fc982ec31aba9283c5e247a93d05b378a3e6eee1374d7f405257bef0e665f58fe29f1dd8417169373a772b6015548c1dc4643266a457b283dcaf10

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
Filesize
259KB

MD5
1636dd864151388451acb8b2fc1fccb8

SHA1
06e3ac51140a1f7c35f79f8c69e997919838bd01

SHA256
859bdfd8e8f067c3d2328e3cc910d906d07298fd2a5ffc9e89f22df61c499126

SHA512
694911e645fc982ec31aba9283c5e247a93d05b378a3e6eee1374d7f405257bef0e665f58fe29f1dd8417169373a772b6015548c1dc4643266a457b283dcaf10

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\uni0nst.exe
Filesize
842KB

MD5
c833984034607e01850987d075f4c3b9

SHA1
c5cb941666198a1678c88faf22be0a1b0b007813

SHA256
c6027958286a3f1a0e5ff5e104d461c6a1df7e1d0a828ab78fffa506ee2cc294

SHA512
918e3fee2fae74e8f278277774d8237c658b3d7c994ec20640c81667e66671a3029bdf7ff8e9fcfdbff8f1b2d8f98bd5492d5a3200d516a47db19a2ecce72d59

Download Submit
\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe
Filesize
3.4MB

MD5
2073b01c03cd15b2502aac1dfb22a813

SHA1
b7feb0b40f5e58fd9e0e14f61747d19182c13d87

SHA256
75cb929453116220b642f3a84c07ecf03678189df9a6e04b0e3f184d2ad184e8

SHA512
ceaee34964523ebbec797f42eca2f3f76ac5c742baab858f626f4adef1eb9d94d412c7130a41a7c12d5015df4ce10137bd2426e99a7fb62e3de518f45612857b

Download Submit
\Users\Admin\AppData\Local\Temp\duba_3_279.exe
Filesize
17.3MB

MD5
61d05e0ec49e0113c9b179a75f8721b0

SHA1
1b4a94a327df622e38218cccc036044fe91c5e99

SHA256
cdab7deb216875304970d76d55086a277cac500ad4d760c544d38b7b70fb7222

SHA512
f9215882254cd956802e2bdfb1acd7be0747456ff65bb1acd37d9c89bf9a1a4638ba7f4ac9c2786ef883446417e4b856fa93189b608e8b55bf5f0f892026cdca

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\Base64.dll
Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3C95.tmp\nsRandom.dll
Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsz3C28.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsz3C28.tmp\v6svc_oem.dll
Filesize
153KB

MD5
63cab358719146a3fb71ac15ef41473b

SHA1
7d844b91eb84078ad4e574b429876fdb5f40d0d3

SHA256
0d6276b52e2b26bb161522f8cb17798d72686bcbcb65b3996d3051cbf9771f46

SHA512
8a65969ef3ef745f0b2875627ce78670d2c0b7bc0e2b9ac0f1ab08dc55654a62dcff05b42b149f38a3436fad1f73a5ddb2b7cf6ad3e43167d1f571c90e89410f

Download Submit
memory/276-89-0x0000000000000000-mapping.dmp

Download
memory/572-174-0x0000000000000000-mapping.dmp

Download
memory/684-99-0x0000000000000000-mapping.dmp

Download
memory/688-104-0x0000000000000000-mapping.dmp

Download
memory/828-77-0x0000000000000000-mapping.dmp

Download
memory/856-101-0x0000000000000000-mapping.dmp

Download
memory/916-168-0x00000000025D0000-0x0000000002763000-memory.dmp

Filesize
1.6MB

Download
memory/916-163-0x0000000000000000-mapping.dmp

Download
memory/960-73-0x0000000000000000-mapping.dmp

Download
memory/1156-69-0x0000000000000000-mapping.dmp

Download
memory/1160-106-0x0000000000000000-mapping.dmp

Download
memory/1232-142-0x0000000000000000-mapping.dmp

Download
memory/1504-71-0x0000000000000000-mapping.dmp

Download
memory/1616-135-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1616-133-0x0000000003F00000-0x0000000003F89000-memory.dmp

Filesize
548KB

Download
memory/1616-91-0x0000000000000000-mapping.dmp

Download
memory/1616-132-0x0000000003F00000-0x0000000003F89000-memory.dmp

Filesize
548KB

Download
memory/1616-113-0x0000000000000000-mapping.dmp

Download
memory/1616-122-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1616-140-0x0000000003F00000-0x0000000003F89000-memory.dmp

Filesize
548KB

Download
memory/1616-139-0x0000000003F00000-0x0000000003F89000-memory.dmp

Filesize
548KB

Download
memory/1628-83-0x0000000000000000-mapping.dmp

Download
memory/1668-87-0x0000000000000000-mapping.dmp

Download
memory/1772-97-0x0000000000000000-mapping.dmp

Download
memory/1824-178-0x00000000028B0000-0x000000000297D000-memory.dmp

Filesize
820KB

Download
memory/1824-177-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/1824-170-0x0000000000000000-mapping.dmp

Download
memory/1836-85-0x0000000000000000-mapping.dmp

Download
memory/1896-134-0x0000000003CF0000-0x0000000003E10000-memory.dmp

Filesize
1.1MB

Download
memory/1896-62-0x00000000007A1000-0x00000000007BD000-memory.dmp

Filesize
112KB

Download
memory/1896-60-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/1896-102-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/1896-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1896-118-0x0000000000491000-0x00000000004AD000-memory.dmp

Filesize
112KB

Download
memory/1896-63-0x00000000007A0000-0x00000000007CD000-memory.dmp

Filesize
180KB

Download
memory/1896-119-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/1896-121-0x0000000003CF0000-0x0000000003E10000-memory.dmp

Filesize
1.1MB

Download
memory/1908-75-0x0000000000000000-mapping.dmp

Download
memory/1952-153-0x0000000000000000-mapping.dmp

Download
memory/1956-169-0x0000000000000000-mapping.dmp

Download