b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94

Analysis

max time kernel
200s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
Size

1.3MB
MD5

6abbb18422b16c891c98960921b73710
SHA1

1babe32de699707abf119cc2d6575b7749adaa7e
SHA256

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94
SHA512

a9953bee67c15162cc02177a4a41b2885510d085ac152c647703466b9fae97ec398b116c4fb28bafb2e479eefee67360412ce3cb8425eff6f9eaa6b945aa1b6b
SSDEEP

24576:FtiDDKZVA2as75dOrCKZ7EDr5b5TyY1VGPSNg/ne5jEXmSZ2rFt0zkocp0:Fti3KZq2T1TKZm59TyY1sPisebSZUtmx

Score

9^/10

bootkit discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\nsRandom.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\nsRandom.dll	acprotect
behavioral2/memory/2032-143-0x0000000002850000-0x0000000002862000-memory.dmp	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 11 IoCs

Processes:

duba_2_2.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\bc.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\kisknl.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\ksapi.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	duba_2_2.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\bc.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	duba_2_2.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	duba_2_2.exe

Executes dropped EXE 8 IoCs

Processes:

duba_2_2.exeOfficeAssist.0702.80.1159.exeOfficeAssist.0702.80.1159.exekavlog2.exekxetray.exekxescore.exekislive.exekxescore.exe

pid	process
3576	duba_2_2.exe
2872	OfficeAssist.0702.80.1159.exe
1852	OfficeAssist.0702.80.1159.exe
3596	kavlog2.exe
1740	kxetray.exe
588	kxescore.exe
8	kislive.exe
452	kxescore.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeduba_2_2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_2_2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_2_2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_2_2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe

Sets file execution options in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

duba_2_2.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISADDIN.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UNINST.EXE	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KDRVMGR.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISLIVE.EXE	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISMAIN.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KRECYCLE.EXE	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVLOG2.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISCALL.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXETRAY.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSIGNSP.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXESCORE.EXE	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCOMREGSVRV8.EXE	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSCAN.EXE	duba_2_2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSETUPWIZ.EXE	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe	duba_2_2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\nsRandom.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\nsRandom.dll	upx
behavioral2/memory/2032-143-0x0000000002850000-0x0000000002862000-memory.dmp	upx
behavioral2/memory/3576-247-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral2/memory/3576-260-0x0000000000400000-0x000000000051E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeAssist.0702.80.1159.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	OfficeAssist.0702.80.1159.exe

Loads dropped DLL 64 IoCs

Processes:

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe

pid	process
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

duba_2_2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	duba_2_2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	duba_2_2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

duba_2_2.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_2_2.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_2_2.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

duba_2_2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 duba_2_2.exe
Drops file in System32 directory 1 IoCs

Processes:

kavlog2.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\KAVEventLog.EVT kavlog2.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	duba_2_2.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\KAVEventLog.EVT	kavlog2.exe

Drops file in Program Files directory 64 IoCs

Processes:

duba_2_2.exekxetray.exekislive.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\config3a.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswebshield.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksysopteng.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\defaultshrink_skin_img.png	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\dudubao_skin_img.png	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwnp.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksbwdt.ini	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kaccclear.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kpretend.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sp3a.nlb	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\upcfg.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\karchive.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kspupwnd.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\bc.sys	duba_2_2.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.log	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\config\ksesysfiles.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kismain.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\config.ini	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\microsoft.vc80.crt.manifest	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kshmpg.ini	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\khackfix.kid	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kavquara.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kxesansp.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\computer_acc.png	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\pop.png	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kplc.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktoolupd.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\1.jpg	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.ini	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\bro.cfg	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpassport.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krcmdutils.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\wendujishrink_skin_img.png	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kpld.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kstools.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krcmddb.dat	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\tianshizhiyi.skin	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\jsonv6.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseutil.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebase.dll	duba_2_2.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.log	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\uninstallcfg.ini	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\liectrl.config	duba_2_2.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksbwdet2.dll.log	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\kongqizhiliang_skin_img.png	duba_2_2.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krecycle.exe	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.xml	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khistory.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksesscan.dll	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\start_acc.png	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\dudubao.skin	duba_2_2.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavpid.kid	duba_2_2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeduba_2_2.exekxescore.exekxetray.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Addins.1\ = "PPTAssist Class"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ = "PPTAssistControl Class"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_2_2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Addins\CurVer\ = "PPTAssist.Addins.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	duba_2_2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Addins\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Control.1	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib\ = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	duba_2_2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_2_2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "z8hrbvqbamga52povuz8my9juv2g"	duba_2_2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_2_2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxescore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	duba_2_2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	duba_2_2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID\ = "PPTAssist.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Control.1\CLSID\ = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Control\CurVer\ = "PPTAssist.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID\ = "PPTAssist.Control"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\ = "PPTAssist 1.0 ÀàÐÍ¿â"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ = "IRibbonCallback"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Addins.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Addins.1\CLSID\ = "{034DF736-A378-4292-ACAE-A561088999F5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	duba_2_2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	duba_2_2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ = "IWpsAssistControl"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Addins\CLSID\ = "{034DF736-A378-4292-ACAE-A561088999F5}"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	duba_2_2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	duba_2_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	duba_2_2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "z8hrbvqbamga52povuz8my9juv2g"	duba_2_2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Control\ = "PPTAssistControl Class"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\PPTAssist.Control\CLSID\ = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	duba_2_2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_2_2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	kxetray.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Version	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	duba_2_2.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeOfficeAssist.0702.80.1159.exeOfficeAssist.0702.80.1159.exeduba_2_2.exekxescore.exe

pid	process
4300	msedge.exe
4300	msedge.exe
2356	msedge.exe
2356	msedge.exe
2872	OfficeAssist.0702.80.1159.exe
2872	OfficeAssist.0702.80.1159.exe
2872	OfficeAssist.0702.80.1159.exe
2872	OfficeAssist.0702.80.1159.exe
2872	OfficeAssist.0702.80.1159.exe
2872	OfficeAssist.0702.80.1159.exe
1852	OfficeAssist.0702.80.1159.exe
1852	OfficeAssist.0702.80.1159.exe
3576	duba_2_2.exe
3576	duba_2_2.exe
452	kxescore.exe
452	kxescore.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

2356 msedge.exe
2356 msedge.exe
2356 msedge.exe
2356 msedge.exe
2356 msedge.exe

pid	process
664

pid	process
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

duba_2_2.exeOfficeAssist.0702.80.1159.exekislive.exekxescore.exe

description	pid	process
Token: SeDebugPrivilege	3576	duba_2_2.exe
Token: SeDebugPrivilege	1852	OfficeAssist.0702.80.1159.exe
Token: SeDebugPrivilege	8	kislive.exe
Token: SeDebugPrivilege	3576	duba_2_2.exe
Token: SeDebugPrivilege	452	kxescore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2356 msedge.exe
2356 msedge.exe

pid	process
2356	msedge.exe
2356	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exemsedge.exe

description	pid	process	target process
PID 2032 wrote to memory of 4552	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4552	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4552	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4308	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4308	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4308	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2124	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2124	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2124	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 752	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 752	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 752	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3588	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3588	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3588	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3892	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3892	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3892	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 628	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 628	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 628	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2964	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2964	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2964	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4972	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4972	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4972	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4452	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4452	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4452	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2904	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2904	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2904	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 5024	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 5024	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 5024	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 448	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 448	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 448	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4348	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4348	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 4348	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3528	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3528	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 3528	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	cmd.exe
PID 2032 wrote to memory of 2356	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	msedge.exe
PID 2032 wrote to memory of 2356	2032	b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe	msedge.exe
PID 2356 wrote to memory of 3948	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 3948	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe
PID 2356 wrote to memory of 2088	2356	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe
"C:\Users\Admin\AppData\Local\Temp\b99944dc87cf9a22cc959b1a4d34f3b4d1198a9532a2ac6ed4395b17190d8a94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\install1078565.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\install1078565.exe"
2⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\verdana.ttf" "C:\Users\Admin\AppData\Local\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://120.55.149.181/Yjk5OTQ0ZGM4N2NmOWEyMmNjOTU5YjFhNGQzNGYzYjRkMTE5OGE5NTMyYTJhYzZlZDQzOTViMTcxOTBkOGE5NC5leGU=/40.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8f45a46f8,0x7ff8f45a4708,0x7ff8f45a4718
3⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
3⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
3⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
3⤵
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 /prefetch:8
3⤵
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3736 /prefetch:8
3⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
3⤵
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
3⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5831193469043900010,16675824863023585421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
3⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\duba_2_2.exe
duba_2_2.exe /S
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Sets file execution options in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3596

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:1740

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
3⤵
- Executes dropped EXE
PID:588

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe" /autorun /std /skipcs3
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Users\Admin\AppData\Local\Temp\OfficeAssist.0702.80.1159.exe
OfficeAssist.0702.80.1159.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\ProgramData\kingsoft\20221003_55957\OfficeAssist.0702.80.1159.exe
"C:\ProgramData\kingsoft\20221003_55957\OfficeAssist.0702.80.1159.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist.dll"
4⤵
- Registers COM server for autorun
- Modifies registry class
PID:4040

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
4⤵
PID:4940

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
5⤵
PID:3716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\Base64.dll
Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\Base64.dll
Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\inetc.dll
Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\nsRandom.dll
Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg703F.tmp\nsRandom.dll
Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\??\pipe\LOCAL\crashpad_2356_SMTIMHFQCYYFYFSN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-269-0x0000000002820000-0x000000000283A000-memory.dmp

Filesize
104KB

Download
memory/8-308-0x0000000002A40000-0x0000000002B0D000-memory.dmp

Filesize
820KB

Download
memory/8-268-0x0000000000000000-mapping.dmp

Download
memory/448-212-0x0000000000000000-mapping.dmp

Download
memory/452-304-0x0000000003370000-0x0000000003388000-memory.dmp

Filesize
96KB

Download
memory/452-297-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/452-278-0x0000000002100000-0x000000000212A000-memory.dmp

Filesize
168KB

Download
memory/452-286-0x0000000002121000-0x000000000212B000-memory.dmp

Filesize
40KB

Download
memory/452-280-0x0000000002130000-0x000000000215B000-memory.dmp

Filesize
172KB

Download
memory/452-274-0x00000000017C0000-0x00000000017CE000-memory.dmp

Filesize
56KB

Download
memory/452-296-0x0000000002111000-0x000000000212D000-memory.dmp

Filesize
112KB

Download
memory/452-302-0x0000000003810000-0x0000000003824000-memory.dmp

Filesize
80KB

Download
memory/452-307-0x00000000033D0000-0x00000000033EA000-memory.dmp

Filesize
104KB

Download
memory/452-303-0x0000000003830000-0x0000000003842000-memory.dmp

Filesize
72KB

Download
memory/452-298-0x0000000002141000-0x000000000215E000-memory.dmp

Filesize
116KB

Download
memory/452-300-0x00000000034B0000-0x0000000003604000-memory.dmp

Filesize
1.3MB

Download
memory/452-299-0x0000000002140000-0x000000000216B000-memory.dmp

Filesize
172KB

Download
memory/588-267-0x0000000000000000-mapping.dmp

Download
memory/628-186-0x0000000000000000-mapping.dmp

Download
memory/684-249-0x0000000000000000-mapping.dmp

Download
memory/752-169-0x0000000000000000-mapping.dmp

Download
memory/1428-254-0x0000000000000000-mapping.dmp

Download
memory/1740-290-0x0000000003980000-0x00000000039AB000-memory.dmp

Filesize
172KB

Download
memory/1740-266-0x0000000000000000-mapping.dmp

Download
memory/1740-270-0x0000000002750000-0x00000000028E3000-memory.dmp

Filesize
1.6MB

Download
memory/1740-287-0x0000000003800000-0x000000000382A000-memory.dmp

Filesize
168KB

Download
memory/1740-272-0x00000000028F0000-0x0000000002B58000-memory.dmp

Filesize
2.4MB

Download
memory/1740-275-0x0000000002CA0000-0x0000000002CB8000-memory.dmp

Filesize
96KB

Download
memory/1740-311-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/1740-282-0x0000000003850000-0x0000000003972000-memory.dmp

Filesize
1.1MB

Download
memory/1852-264-0x0000000000000000-mapping.dmp

Download
memory/2032-144-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2032-146-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2032-145-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2032-179-0x0000000000520000-0x000000000054D000-memory.dmp

Filesize
180KB

Download
memory/2032-143-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2032-135-0x00000000023B1000-0x00000000023B4000-memory.dmp

Filesize
12KB

Download
memory/2032-178-0x0000000000521000-0x000000000053D000-memory.dmp

Filesize
112KB

Download
memory/2032-175-0x0000000000521000-0x0000000000524000-memory.dmp

Filesize
12KB

Download
memory/2088-232-0x0000000000000000-mapping.dmp

Download
memory/2124-166-0x0000000000000000-mapping.dmp

Download
memory/2356-226-0x0000000000000000-mapping.dmp

Download
memory/2832-258-0x0000000000000000-mapping.dmp

Download
memory/2872-263-0x0000000000000000-mapping.dmp

Download
memory/2904-206-0x0000000000000000-mapping.dmp

Download
memory/2940-240-0x0000000000000000-mapping.dmp

Download
memory/2964-189-0x0000000000000000-mapping.dmp

Download
memory/3252-238-0x0000000000000000-mapping.dmp

Download
memory/3528-218-0x0000000000000000-mapping.dmp

Download
memory/3576-241-0x0000000000000000-mapping.dmp

Download
memory/3576-260-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3576-247-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3588-172-0x0000000000000000-mapping.dmp

Download
memory/3596-265-0x0000000000000000-mapping.dmp

Download
memory/3624-310-0x0000000000000000-mapping.dmp

Download
memory/3644-256-0x0000000000000000-mapping.dmp

Download
memory/3892-183-0x0000000000000000-mapping.dmp

Download
memory/3948-230-0x0000000000000000-mapping.dmp

Download
memory/4040-276-0x0000000000000000-mapping.dmp

Download
memory/4300-233-0x0000000000000000-mapping.dmp

Download
memory/4308-163-0x0000000000000000-mapping.dmp

Download
memory/4340-236-0x0000000000000000-mapping.dmp

Download
memory/4348-215-0x0000000000000000-mapping.dmp

Download
memory/4452-195-0x0000000000000000-mapping.dmp

Download
memory/4552-160-0x0000000000000000-mapping.dmp

Download
memory/4940-306-0x0000000000000000-mapping.dmp

Download
memory/4972-192-0x0000000000000000-mapping.dmp

Download
memory/5024-209-0x0000000000000000-mapping.dmp

Download