cobaltstrike | b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe
Size

31KB
MD5

53ae298211da868b18338d2d89bc46cc
SHA1

361ffe812c33d35620426e5cc2bc2fb0dccc6a07
SHA256

b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa
SHA512

6b322b864461f3349ce47b93b90052868f8a9aeddc7893afd6b02f3620d09cc7a81e1ffb8a8a73b9ab24d7c5513bc9cbb289508b1acc8adcd003026dcfe283b8
SSDEEP

768:ryH8hV1CeI36mVgpX8uekF08JGdJxsLoIBCYR/9m:r2R36mapX8uVF08J7HL

Score

10^/10

cobaltstrike joker backdoor bootkit discovery infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

joker

http://tankgme.oss-cn-qingdao.aliyuncs.com

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000200000001e6dc-140.dat	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\kisnetm64.sys	kinst_18_67.exe
File opened for modification	C:\Windows\SysWOW64\drivers\kisknl.sys	kxescore.exe
File opened for modification	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe
File created	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe
File opened for modification	C:\Windows\system32\drivers\kisknl.sys	kinst_18_67.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	kinst_18_67.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	kinst_18_67.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	kinst_18_67.exe
File created	C:\Windows\system32\drivers\ksapi.sys	kinst_18_67.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	kinst_18_67.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	kinst_18_67.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	kinst_18_67.exe
File created	C:\Windows\system32\drivers\kisknl.sys	kinst_18_67.exe

Executes dropped EXE 9 IoCs

pid	Process
1132	kinst_18_67.exe
3564	KDbCIHelper.exe
1332	kavlog2.exe
2476	kxetray.exe
4660	kxescore.exe
2988	kislive.exe
4648	kxescore.exe
5064	kxetray.exe
4716	kwsprotect64.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	kinst_18_67.exe

Sets file execution options in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVLOG2.EXE	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISLIVE.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSCAN.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSIGNSP.EXE	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KDRVMGR.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISCALL.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISMAIN.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXESCORE.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISADDIN.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KRECYCLE.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXETRAY.EXE	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UNINST.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCOMREGSVRV8.EXE	kinst_18_67.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSETUPWIZ.EXE	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe	kinst_18_67.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kisknl\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\kisknl.sys"	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\kisknl\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\kisknl.sys"	kxescore.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e6dc-140.dat	upx
behavioral2/memory/1132-141-0x0000000010000000-0x000000001019D000-memory.dmp	upx
behavioral2/memory/1132-145-0x0000000010000000-0x000000001019D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe

Loads dropped DLL 64 IoCs

pid	Process
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1332	kavlog2.exe
1332	kavlog2.exe
2476	kxetray.exe
2476	kxetray.exe
2988	kislive.exe
2988	kislive.exe
2988	kislive.exe
2476	kxetray.exe
4660	kxescore.exe
4660	kxescore.exe
2988	kislive.exe
2988	kislive.exe
2988	kislive.exe
2988	kislive.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
4648	kxescore.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kinst_18_67.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	kinst_18_67.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	kxetray.exe
File opened (read-only)	\??\K:	kxetray.exe
File opened (read-only)	\??\M:	kxetray.exe
File opened (read-only)	\??\O:	kxetray.exe
File opened (read-only)	\??\D:	kxetray.exe
File opened (read-only)	\??\E:	kxetray.exe
File opened (read-only)	\??\I:	kxetray.exe
File opened (read-only)	\??\Q:	kxetray.exe
File opened (read-only)	\??\X:	kxetray.exe
File opened (read-only)	\??\Y:	kxetray.exe
File opened (read-only)	\??\F:	kxetray.exe
File opened (read-only)	\??\N:	kxetray.exe
File opened (read-only)	\??\R:	kxetray.exe
File opened (read-only)	\??\S:	kxetray.exe
File opened (read-only)	\??\U:	kxetray.exe
File opened (read-only)	\??\V:	kxetray.exe
File opened (read-only)	\??\W:	kxetray.exe
File opened (read-only)	\??\Z:	kxetray.exe
File opened (read-only)	\??\L:	kxetray.exe
File opened (read-only)	\??\J:	kxetray.exe
File opened (read-only)	\??\P:	kxetray.exe
File opened (read-only)	\??\T:	kxetray.exe
File opened (read-only)	\??\H:	kxetray.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	kinst_18_67.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\KAVEventLog.EVT	kavlog2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaearcha.dat	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxeksgpid.kid	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdf.exe	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\klengine.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\xlmodule\download\download_engine.dll	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\duba123new.ico	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kshmpgext.dll	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\deflist.dat	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\push_msg_city_list.ini	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwnp.dat	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khandler.dll	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\fdsdcache.db	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\xlmodule\download\dl_peer_id.dll	kxetray.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\autoflux.dat	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\indexkcom_kwifitool.txt	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\computer_doctor.png	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\pop.png	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksscfgx.ini	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\cleanlist.dat	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\user.ini	kxetray.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseutil.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\chupgrade.ini	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\procinfo.dat	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\indexkcom_khackfix.txt	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.ini	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kclearpanel.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krcmdutils.dll	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kws_init.log	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\autoflux.dat	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\data\ksoftmgrun.dat	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\tianshizhiyi.skin	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krcmdmon.dll.rcmdtmp	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\citys.xml	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoft.xml	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\softicon.dat	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\indexkav.txt	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\defendmon.dll	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.log	kxetray.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kfloatwin.log	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\fnsign.dat	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatwinsetting.ini	kxetray.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\option.ini	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\clear.xml	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\inject.dat	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\urlmon.cfg	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\microsoft.vc80.crt.manifest	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speedtest.xml	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\recommendctrl.config	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdh.dat	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kxesansp.dll	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\lblocker.dll	kinst_18_67.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.log	kislive.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\procinfo.dat	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\kcom_commonfast\index.dat	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\reinstall_duba.png	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\bro.cfg	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\winesystem001.dat	kinst_18_67.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll	kinst_18_67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kxetray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kxetray.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1816	taskkill.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	kxescore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	kxescore.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "D036F34F52AA214F9836A27749190821"	kinst_18_67.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\guid = "D1FACA4F008544288E87D64268BE771A"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	kinst_18_67.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	kinst_18_67.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "3069487156"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit	kinst_18_67.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F6F795A-6457-4603-A561-684CF512AC68}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE82F604-65FC-4692-9D6E-3014CA28B8D6}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "0dead3d83e15ff533d34b9923a942a59"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "gpgzftuwnoehbhdmrgwecfq5zepk"	kinst_18_67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "3069487156"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxetray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "gpgzftuwnoehbhdmrgwecfq5zepk"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	kinst_18_67.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kinst_18_67.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	kinst_18_67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	kinst_18_67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit	kinst_18_67.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	kxescore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d701030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	kxescore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d467e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	kxescore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d701030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	kxescore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	kxescore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	kxescore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d467e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	kxescore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 1900000001000000100000002ee0c890fdcb0441fa180c6834858995030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	kxetray.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
1132	kinst_18_67.exe
1132	kinst_18_67.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
4648	kxescore.exe
4648	kxescore.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1132	kinst_18_67.exe
Token: SeDebugPrivilege	2988	kislive.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	4648	kxescore.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	4648	kxescore.exe
Token: SeDebugPrivilege	4648	kxescore.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	1132	kinst_18_67.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: 33	4648	kxescore.exe
Token: SeIncBasePriorityPrivilege	4648	kxescore.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	5064	kxetray.exe
Token: 33	5064	kxetray.exe
Token: SeIncBasePriorityPrivilege	5064	kxetray.exe
Token: SeDebugPrivilege	5064	kxetray.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5064	kxetray.exe
5064	kxetray.exe
5064	kxetray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5064	kxetray.exe
5064	kxetray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3228	OpenWith.exe
4716	kwsprotect64.exe
4716	kwsprotect64.exe
5064	kxetray.exe
5064	kxetray.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 1132	4348	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe	89
PID 4348 wrote to memory of 1132	4348	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe	89
PID 4348 wrote to memory of 1132	4348	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe	89
PID 4348 wrote to memory of 2448	4348	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe	93
PID 4348 wrote to memory of 2448	4348	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe	93
PID 4348 wrote to memory of 2448	4348	b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe	93
PID 2448 wrote to memory of 1816	2448	cmd.exe	95
PID 2448 wrote to memory of 1816	2448	cmd.exe	95
PID 2448 wrote to memory of 1816	2448	cmd.exe	95
PID 1132 wrote to memory of 3564	1132	kinst_18_67.exe	96
PID 1132 wrote to memory of 3564	1132	kinst_18_67.exe	96
PID 1132 wrote to memory of 3564	1132	kinst_18_67.exe	96
PID 1132 wrote to memory of 1332	1132	kinst_18_67.exe	98
PID 1132 wrote to memory of 1332	1132	kinst_18_67.exe	98
PID 1132 wrote to memory of 1332	1132	kinst_18_67.exe	98
PID 1132 wrote to memory of 2476	1132	kinst_18_67.exe	100
PID 1132 wrote to memory of 2476	1132	kinst_18_67.exe	100
PID 1132 wrote to memory of 2476	1132	kinst_18_67.exe	100
PID 1132 wrote to memory of 4660	1132	kinst_18_67.exe	101
PID 1132 wrote to memory of 4660	1132	kinst_18_67.exe	101
PID 1132 wrote to memory of 4660	1132	kinst_18_67.exe	101
PID 1132 wrote to memory of 2988	1132	kinst_18_67.exe	102
PID 1132 wrote to memory of 2988	1132	kinst_18_67.exe	102
PID 1132 wrote to memory of 2988	1132	kinst_18_67.exe	102
PID 2476 wrote to memory of 5064	2476	kxetray.exe	105
PID 2476 wrote to memory of 5064	2476	kxetray.exe	105
PID 2476 wrote to memory of 5064	2476	kxetray.exe	105
PID 5064 wrote to memory of 4716	5064	kxetray.exe	106
PID 5064 wrote to memory of 4716	5064	kxetray.exe	106

C:\Users\Admin\AppData\Local\Temp\b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe
"C:\Users\Admin\AppData\Local\Temp\b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_18_67.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_18_67.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe" -release
    3⤵
    - Executes dropped EXE
    PID:3564
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1332
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
      "c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Program Files directory
      Checks processor information in registry
      Modifies registry class
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5064
    - - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe
        
        "kwsprotect64.exe" (null)
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4716
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4660
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe" /autorun /std /skipcs3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3228

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe

Filesize
511KB

MD5
7c7b0abe3ae303515de3504fd9455a78

SHA1
5fec0e36fb0e157e73c1baff92065c76a8fe1808

SHA256
e53f2a8b8104bf48ea4ec955b39ab8331649dc927034991422c8264bc466d3d3

SHA512
830df5ecfbc08eaa7d4abf4087f14ccc60595e6827f500bc47e5ae2d426088f7e163d552b1806e9c70c3d961edf7f4af88f14cfcadbc5c81f7fabdad7205e629

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll

Filesize
69KB

MD5
c8ed4b3af03d82cc3fe2f8c42c22326c

SHA1
78a2e216262b8f1b35e408685cf20f2fa4685d8f

SHA256
1c73f57c31845d3719644f815ca9df1efb18cfc3dfc2dc1b4afddb71261afb31

SHA512
34e6cf09afa68875be24005f90be35bb7c490ac9d2f63befadfdd1902136c383ee903442c9df572e2ccd0b7ea1be10857401c76c5b6923c28f8eaecab5b3c45c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll

Filesize
69KB

MD5
c8ed4b3af03d82cc3fe2f8c42c22326c

SHA1
78a2e216262b8f1b35e408685cf20f2fa4685d8f

SHA256
1c73f57c31845d3719644f815ca9df1efb18cfc3dfc2dc1b4afddb71261afb31

SHA512
34e6cf09afa68875be24005f90be35bb7c490ac9d2f63befadfdd1902136c383ee903442c9df572e2ccd0b7ea1be10857401c76c5b6923c28f8eaecab5b3c45c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\keasyipcn.dll

Filesize
103KB

MD5
93743861a54413c1454845b3b6f50f4d

SHA1
b0be47cde5aa95b5d911107bf1af98109a7bef74

SHA256
63e3807a73157f64db94e975569597665ece35f7234137adc21fa62a85eaa5a0

SHA512
a02707c680ddb5c1645fde212fc75e11b687d8dafddc83f7ae7824f8c425d2c13b1af0e3adb079de904e46d6f9477a6fc09fd6662643c1bc139cb496e873e83b

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\keasyipcn.dll

Filesize
103KB

MD5
93743861a54413c1454845b3b6f50f4d

SHA1
b0be47cde5aa95b5d911107bf1af98109a7bef74

SHA256
63e3807a73157f64db94e975569597665ece35f7234137adc21fa62a85eaa5a0

SHA512
a02707c680ddb5c1645fde212fc75e11b687d8dafddc83f7ae7824f8c425d2c13b1af0e3adb079de904e46d6f9477a6fc09fd6662643c1bc139cb496e873e83b

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
2.0MB

MD5
c731a5374a1afe6713e0b1ab0579879d

SHA1
2eba72fad1a53378dc0e13c3f6138eb5a93042f7

SHA256
ba5a63bd0b17cca5aa13065932f0cccdef4fa6e8ea96e230e556853251a0e199

SHA512
fed0fe76897829849c5b969821c80b260451cf4e1f331df6f2eb9c532785f740caddcf39b56d4eec0db7735ab2f4b33eae056656ade21296328454dd63813f7d

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe

Filesize
1.1MB

MD5
043c3caa835a2cbefc8343de37affa14

SHA1
64c03dd64fe425defc1d588aecdec4446c581ff0

SHA256
71db8b4bcdd166bb7fde2ca17129b4a42b9c2f1173a80443d3bc3b639c69c757

SHA512
082229b47e4d9495afefc395c6837edc1e756bb534252c829f84d21f64990784ff3dda2b7d5379f067b65da7a9daea5f489d82dac3a6cf934447cbe1c0db20b1

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll

Filesize
213KB

MD5
1dd2c3ecae68a35cde2d586aa24e0f25

SHA1
600f6a6af5b43a00c5ddd040a79afbeadba053cf

SHA256
905fbcb0f93015941e884bd37b5d196788bc4422919fead4be12fbfd42fb5440

SHA512
237f5623042dfab544458847cebe1a5f95bf83165d6155086378976b1082d7709b0fe8379ba15fff8ea39664ffe67546719983d27ce3e82cec6ac667e0f78145

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
169KB

MD5
ed51b66e37b1eef2d287f69595a20304

SHA1
804ad2daa0c920b51ef26c3273dcdc7a3fb02926

SHA256
ac07393f0469a15d889b48e090c7ba8cc385ba23e3d63e8b3daa2d9c0c45c076

SHA512
bc87e1566d116d6685a60f14246e96c826533f8c28f400ba361db21ddfff48f18e4bec169831fe748607d7cc427dda7aca41ca233d7cab28b98438fff23a4112

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
169KB

MD5
ed51b66e37b1eef2d287f69595a20304

SHA1
804ad2daa0c920b51ef26c3273dcdc7a3fb02926

SHA256
ac07393f0469a15d889b48e090c7ba8cc385ba23e3d63e8b3daa2d9c0c45c076

SHA512
bc87e1566d116d6685a60f14246e96c826533f8c28f400ba361db21ddfff48f18e4bec169831fe748607d7cc427dda7aca41ca233d7cab28b98438fff23a4112

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll

Filesize
833KB

MD5
7db698764bad3a0b9da3cb1dac2e3890

SHA1
42a28179b12f06350f5d99c6fb10a86a7b0cccaa

SHA256
2dc79226408f2b70a539b19a37e222159ac982334a8aecd0fb71be15f257ba3d

SHA512
9a71f1a0457e21a731c45cc3da1c3e0fef4944db6ccc27b6846d9f66a6c155ee587cd3ce1848ac2f3455cbc99152455580902391e39c5dd9a671cce6f93519a2

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll

Filesize
833KB

MD5
7db698764bad3a0b9da3cb1dac2e3890

SHA1
42a28179b12f06350f5d99c6fb10a86a7b0cccaa

SHA256
2dc79226408f2b70a539b19a37e222159ac982334a8aecd0fb71be15f257ba3d

SHA512
9a71f1a0457e21a731c45cc3da1c3e0fef4944db6ccc27b6846d9f66a6c155ee587cd3ce1848ac2f3455cbc99152455580902391e39c5dd9a671cce6f93519a2

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxecore\kxecore.dll

Filesize
550KB

MD5
8565494bb60368adba1b1400fecc362a

SHA1
b6727a439521118b68697c29509d99bedd71800c

SHA256
2eca3bf8c73371ce181bdd3bede07ee3c319a240df3ab18cb65fed590f6170fb

SHA512
81d56323f5e0cdeed5dcc8163813736183f6495a1a2e16a56ef9543a29a8e28ba00ca814ce145a398bae9291e29242aa4b9c2081a84192db73cac0320ec6f8e8

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
98ab194dcbf27dbce8b42a1b1dbf60b2

SHA1
7231cb6dacaeb3a171ae1c45ee220591c0640237

SHA256
fb499c586de157fd44f0c48b60ebd3c11daf20d393e0d8a5ff9a34f1503ba119

SHA512
ce011607ba7987294b7b921f90ce4c20640e19799fd5283761292480b7c7dc500c973918dee2acde71dca722208d6a6e1466da1c897071e33960ae3a23c82a69

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
98ab194dcbf27dbce8b42a1b1dbf60b2

SHA1
7231cb6dacaeb3a171ae1c45ee220591c0640237

SHA256
fb499c586de157fd44f0c48b60ebd3c11daf20d393e0d8a5ff9a34f1503ba119

SHA512
ce011607ba7987294b7b921f90ce4c20640e19799fd5283761292480b7c7dc500c973918dee2acde71dca722208d6a6e1466da1c897071e33960ae3a23c82a69

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.5MB

MD5
3228352da242e4de35d813f73b7f55c9

SHA1
48f2f02b9d5bb13590c10c8b0ccdae0dd5f345df

SHA256
72a669c9a327f7057c137dec40f3c565a037bfe20f31b5e4c8d9d510de25cfbe

SHA512
4d75270f51e913ba56afe85e5987c356f1061647f089545ab74cc2e6e5dcc62caf038007332e64b1bf0d6084be97b376f77a87d0ea9e488ddb96ad6d437ae832

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.5MB

MD5
3228352da242e4de35d813f73b7f55c9

SHA1
48f2f02b9d5bb13590c10c8b0ccdae0dd5f345df

SHA256
72a669c9a327f7057c137dec40f3c565a037bfe20f31b5e4c8d9d510de25cfbe

SHA512
4d75270f51e913ba56afe85e5987c356f1061647f089545ab74cc2e6e5dcc62caf038007332e64b1bf0d6084be97b376f77a87d0ea9e488ddb96ad6d437ae832

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
170KB

MD5
695689bd598b70aac4e97c4a1f4051a0

SHA1
2c01f87b79d34537aa6cc0a193826d73c32ff905

SHA256
85f81c8d89327e75100bf2b53cc1cbc674a154ab066a83dd612387642ac36db8

SHA512
e069dd968f7b78c8596711387c175e5becffa66d27359e3c013efe03bf1331a28a50f95a7d6eb6c0bd17b361986282d14e7af447d1365a7ae740e1a04487bd4d

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
170KB

MD5
695689bd598b70aac4e97c4a1f4051a0

SHA1
2c01f87b79d34537aa6cc0a193826d73c32ff905

SHA256
85f81c8d89327e75100bf2b53cc1cbc674a154ab066a83dd612387642ac36db8

SHA512
e069dd968f7b78c8596711387c175e5becffa66d27359e3c013efe03bf1331a28a50f95a7d6eb6c0bd17b361986282d14e7af447d1365a7ae740e1a04487bd4d

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\scom.dll

Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3772D3.dll

Filesize
18.7MB

MD5
f85489fffc65d8758751bff49ec5fe61

SHA1
334f2f3b984ed5dd28b2c492d483f7b10340f4da

SHA256
8a857847ee8a5dcbe64050312cd225935d73d1537a2bf5c4e0038b782e4fb4d3

SHA512
550d4f12a85551d484ab4f2e09261a716062ff2899eeb4b6865b202aa18c6490cbb9c5bef7c34c149ad3f5143626a802cbb582d0d87ff9a42e5e957fe02991d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe

Filesize
270KB

MD5
6a0416c9d15d5bbfa03c85a96eadad90

SHA1
ec383f7104112d92f95c31d0e365db6dd2cd4462

SHA256
72e1f20807ed445c506d264d9da2e3687a8b2f4b503f352f1d363d7a5dce73ea

SHA512
dfbca32f535b9a39576c653ff731ce5bff087d625dfb2e4498aade783ed1faf9784dd06266a582d4e9d8218b13cf5b9bb4057e4cc3dace05646e1a26d865f3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe

Filesize
270KB

MD5
6a0416c9d15d5bbfa03c85a96eadad90

SHA1
ec383f7104112d92f95c31d0e365db6dd2cd4462

SHA256
72e1f20807ed445c506d264d9da2e3687a8b2f4b503f352f1d363d7a5dce73ea

SHA512
dfbca32f535b9a39576c653ff731ce5bff087d625dfb2e4498aade783ed1faf9784dd06266a582d4e9d8218b13cf5b9bb4057e4cc3dace05646e1a26d865f3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b82fee436ee7c29f7c79c32704175e8e4d851cf348949216d4b88075078528fa.exe.bat

Filesize
330B

MD5
99e4edbf54b86c000d9400726ffb5ed2

SHA1
544acd25367ff5ed00efbb04048befd11d5829ac

SHA256
dab704ea74b2ef9842b862cde8afd6ad0089dd22e6863c658fd07ba14019251a

SHA512
565bc36ddc3d0a6f704b6c8dc3275e9f712e12ac5d50516c2c15d297ef39dadd5e0412e1a2bd46a364ea644427002d9d0ddc5343305646540771bfaa2bb9a5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_18_67.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_18_67.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCP80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCR80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe

Filesize
511KB

MD5
7c7b0abe3ae303515de3504fd9455a78

SHA1
5fec0e36fb0e157e73c1baff92065c76a8fe1808

SHA256
e53f2a8b8104bf48ea4ec955b39ab8331649dc927034991422c8264bc466d3d3

SHA512
830df5ecfbc08eaa7d4abf4087f14ccc60595e6827f500bc47e5ae2d426088f7e163d552b1806e9c70c3d961edf7f4af88f14cfcadbc5c81f7fabdad7205e629

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\keasyipcn.dll

Filesize
103KB

MD5
93743861a54413c1454845b3b6f50f4d

SHA1
b0be47cde5aa95b5d911107bf1af98109a7bef74

SHA256
63e3807a73157f64db94e975569597665ece35f7234137adc21fa62a85eaa5a0

SHA512
a02707c680ddb5c1645fde212fc75e11b687d8dafddc83f7ae7824f8c425d2c13b1af0e3adb079de904e46d6f9477a6fc09fd6662643c1bc139cb496e873e83b

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
2.0MB

MD5
c731a5374a1afe6713e0b1ab0579879d

SHA1
2eba72fad1a53378dc0e13c3f6138eb5a93042f7

SHA256
ba5a63bd0b17cca5aa13065932f0cccdef4fa6e8ea96e230e556853251a0e199

SHA512
fed0fe76897829849c5b969821c80b260451cf4e1f331df6f2eb9c532785f740caddcf39b56d4eec0db7735ab2f4b33eae056656ade21296328454dd63813f7d

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe

Filesize
1.1MB

MD5
043c3caa835a2cbefc8343de37affa14

SHA1
64c03dd64fe425defc1d588aecdec4446c581ff0

SHA256
71db8b4bcdd166bb7fde2ca17129b4a42b9c2f1173a80443d3bc3b639c69c757

SHA512
082229b47e4d9495afefc395c6837edc1e756bb534252c829f84d21f64990784ff3dda2b7d5379f067b65da7a9daea5f489d82dac3a6cf934447cbe1c0db20b1

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll

Filesize
213KB

MD5
1dd2c3ecae68a35cde2d586aa24e0f25

SHA1
600f6a6af5b43a00c5ddd040a79afbeadba053cf

SHA256
905fbcb0f93015941e884bd37b5d196788bc4422919fead4be12fbfd42fb5440

SHA512
237f5623042dfab544458847cebe1a5f95bf83165d6155086378976b1082d7709b0fe8379ba15fff8ea39664ffe67546719983d27ce3e82cec6ac667e0f78145

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
169KB

MD5
ed51b66e37b1eef2d287f69595a20304

SHA1
804ad2daa0c920b51ef26c3273dcdc7a3fb02926

SHA256
ac07393f0469a15d889b48e090c7ba8cc385ba23e3d63e8b3daa2d9c0c45c076

SHA512
bc87e1566d116d6685a60f14246e96c826533f8c28f400ba361db21ddfff48f18e4bec169831fe748607d7cc427dda7aca41ca233d7cab28b98438fff23a4112

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll

Filesize
833KB

MD5
7db698764bad3a0b9da3cb1dac2e3890

SHA1
42a28179b12f06350f5d99c6fb10a86a7b0cccaa

SHA256
2dc79226408f2b70a539b19a37e222159ac982334a8aecd0fb71be15f257ba3d

SHA512
9a71f1a0457e21a731c45cc3da1c3e0fef4944db6ccc27b6846d9f66a6c155ee587cd3ce1848ac2f3455cbc99152455580902391e39c5dd9a671cce6f93519a2

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxecore\kxecore.dll

Filesize
550KB

MD5
8565494bb60368adba1b1400fecc362a

SHA1
b6727a439521118b68697c29509d99bedd71800c

SHA256
2eca3bf8c73371ce181bdd3bede07ee3c319a240df3ab18cb65fed590f6170fb

SHA512
81d56323f5e0cdeed5dcc8163813736183f6495a1a2e16a56ef9543a29a8e28ba00ca814ce145a398bae9291e29242aa4b9c2081a84192db73cac0320ec6f8e8

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
98ab194dcbf27dbce8b42a1b1dbf60b2

SHA1
7231cb6dacaeb3a171ae1c45ee220591c0640237

SHA256
fb499c586de157fd44f0c48b60ebd3c11daf20d393e0d8a5ff9a34f1503ba119

SHA512
ce011607ba7987294b7b921f90ce4c20640e19799fd5283761292480b7c7dc500c973918dee2acde71dca722208d6a6e1466da1c897071e33960ae3a23c82a69

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf

Filesize
87B

MD5
47f61d0f7bd830f5bfe72c3b65941fde

SHA1
d7f440877e23679fd2c480dff2b8f3219702d681

SHA256
eb09cf1094904f0d3038ce1e981fd4366eba4000c8b6f13a3dbbaefea4797e37

SHA512
d234f17af1440aba1a4f6c2b24d04fdeb3a685f25f391cdc1ac048dfed1b470689bed5b21d7b3db94f9186445932982f462bbee8af919c1a957ab89bd69e68f5

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.5MB

MD5
3228352da242e4de35d813f73b7f55c9

SHA1
48f2f02b9d5bb13590c10c8b0ccdae0dd5f345df

SHA256
72a669c9a327f7057c137dec40f3c565a037bfe20f31b5e4c8d9d510de25cfbe

SHA512
4d75270f51e913ba56afe85e5987c356f1061647f089545ab74cc2e6e5dcc62caf038007332e64b1bf0d6084be97b376f77a87d0ea9e488ddb96ad6d437ae832

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.log

Filesize
510B

MD5
8c51eedc65d4d9c31124193e092955cc

SHA1
253a8fd7eea3d681c105157e9bc43f7cfc59c877

SHA256
226eb8c3128678d2391c51bd585fdab840e232b41dfffcfd15457b9683aaa023

SHA512
0ef54425766fd1c5723d9ea7a7c4cdd8d8e1efee5ec1373344e75d7da1b6ae1e31b22463c7e2ae10a6a41df3778aee5ba1b27d827c343de138be846d66b48be9

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kctrl.dat

Filesize
1KB

MD5
c2bc3e14809299a272b397f77be82235

SHA1
9bb8dc60826bc70e866cee0d143046d8f4bc7303

SHA256
fcea5e3aa1b20b1359327efb71889afcde46518432dc29131f472f0ae356d01b

SHA512
5847912bf6712851929df051edf1fb736cc7a71a6a2ec07eb61872d84082cd94b9c6c738ca6da7bdb91985be747f26ed463ee70dd803925d2fb7bb072e78a7b3

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx

Filesize
188KB

MD5
c751a65e70b8402dd57407235e4a77b8

SHA1
f780da545e1e3c46cdcbd1be598130cf185095d5

SHA256
609c6ea08280adc77d9bd67888aabfae36e2548c45f1bdcd7d1b726b5b0650a0

SHA512
ef2c2580e92e8494e9dad2970e13f0db89be67d1d71bd04ad6ac981c4b18ec19c85e120aa2d1d4fd4dd65610bc22c3e6ff206b31b717d2e1d176f6af2b221efa

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
170KB

MD5
695689bd598b70aac4e97c4a1f4051a0

SHA1
2c01f87b79d34537aa6cc0a193826d73c32ff905

SHA256
85f81c8d89327e75100bf2b53cc1cbc674a154ab066a83dd612387642ac36db8

SHA512
e069dd968f7b78c8596711387c175e5becffa66d27359e3c013efe03bf1331a28a50f95a7d6eb6c0bd17b361986282d14e7af447d1365a7ae740e1a04487bd4d

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\CHS\uplive.svr

Filesize
8KB

MD5
ec603d908ab59c6a7787b25da8f16db7

SHA1
8392d65ccaf0253d82b3ff5aa20d06fc65a772ef

SHA256
e5c6e080b6fd2cae9b7e8710660db35aa19c41e7d54c9fb9cb1142f979fdb1cf

SHA512
2077048ee29a30728403ca5c86e7c00310facb9e96f3655d9c2a74be0fc588fb733da3363171d5e9989e8e6a20dbdefb75532f5b0b8602a587527e15bd12367b

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kismain.ini

Filesize
68B

MD5
6143bf820c638081076f48150b06d7ac

SHA1
5d20a0809c55b0fc02dca534269fd80868b0ac33

SHA256
efff0e7846f4c9236f6996107f23b06947bc674a20418a408d312e05d12bd29c

SHA512
10b7f7f647dc3fe15f9efa9f73907129c672efc87385a5c71af2e44ba71f9768dfe39d4687f81d778f5a3914c46afa74343712262c737f07e4920fcad4e8ca14

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.dll

Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
memory/1132-145-0x0000000010000000-0x000000001019D000-memory.dmp

Filesize
1.6MB

Download
memory/1132-148-0x00000000031D1000-0x00000000031D5000-memory.dmp

Filesize
16KB

Download
memory/1132-141-0x0000000010000000-0x000000001019D000-memory.dmp

Filesize
1.6MB

Download
memory/2988-172-0x0000000002810000-0x000000000282A000-memory.dmp

Filesize
104KB

Download
memory/2988-183-0x00000000029D0000-0x0000000002AA1000-memory.dmp

Filesize
836KB

Download
memory/4348-139-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4348-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4648-247-0x0000000001CE0000-0x0000000001CF4000-memory.dmp

Filesize
80KB

Download
memory/4648-252-0x00000000041A0000-0x00000000041CD000-memory.dmp

Filesize
180KB

Download
memory/4648-219-0x0000000001C10000-0x0000000001C3B000-memory.dmp

Filesize
172KB

Download
memory/4648-251-0x0000000003690000-0x00000000036AA000-memory.dmp

Filesize
104KB

Download
memory/4648-249-0x0000000003620000-0x0000000003638000-memory.dmp

Filesize
96KB

Download
memory/4648-248-0x00000000035F0000-0x0000000003602000-memory.dmp

Filesize
72KB

Download
memory/4648-213-0x0000000001BE0000-0x0000000001C0B000-memory.dmp

Filesize
172KB

Download
memory/4648-207-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/4648-245-0x0000000002E50000-0x0000000002F73000-memory.dmp

Filesize
1.1MB

Download
memory/4648-243-0x0000000003190000-0x00000000032E4000-memory.dmp

Filesize
1.3MB

Download
memory/4648-241-0x0000000002F90000-0x0000000003043000-memory.dmp

Filesize
716KB

Download
memory/4648-236-0x0000000001BF1000-0x0000000001C0E000-memory.dmp

Filesize
116KB

Download
memory/4648-239-0x0000000001C40000-0x0000000001C6B000-memory.dmp

Filesize
172KB

Download
memory/4648-238-0x0000000001C0E000-0x0000000001C13000-memory.dmp

Filesize
20KB

Download
memory/5064-258-0x0000000004570000-0x0000000004575000-memory.dmp

Filesize
20KB

Download
memory/5064-227-0x0000000003A10000-0x0000000003B33000-memory.dmp

Filesize
1.1MB

Download
memory/5064-265-0x0000000005A30000-0x0000000005AB4000-memory.dmp

Filesize
528KB

Download
memory/5064-217-0x0000000002B00000-0x0000000002CF6000-memory.dmp

Filesize
2.0MB

Download
memory/5064-268-0x0000000005830000-0x00000000058EE000-memory.dmp

Filesize
760KB

Download
memory/5064-254-0x00000000040E0000-0x00000000040EA000-memory.dmp

Filesize
40KB

Download
memory/5064-270-0x0000000005BC0000-0x0000000005D40000-memory.dmp

Filesize
1.5MB

Download
memory/5064-256-0x0000000004550000-0x0000000004553000-memory.dmp

Filesize
12KB

Download
memory/5064-257-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/5064-235-0x00000000038A0000-0x00000000038CB000-memory.dmp

Filesize
172KB

Download
memory/5064-261-0x0000000005690000-0x00000000056C9000-memory.dmp

Filesize
228KB

Download
memory/5064-201-0x00000000029E0000-0x00000000029F8000-memory.dmp

Filesize
96KB

Download
memory/5064-221-0x0000000002D00000-0x0000000002F68000-memory.dmp

Filesize
2.4MB

Download
memory/5064-255-0x00000000040F0000-0x00000000040FA000-memory.dmp

Filesize
40KB

Download
memory/5064-272-0x00000000058F0000-0x0000000005961000-memory.dmp

Filesize
452KB

Download
memory/5064-275-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/5064-278-0x0000000006450000-0x0000000006521000-memory.dmp

Filesize
836KB

Download
memory/5064-279-0x0000000006540000-0x00000000066C9000-memory.dmp

Filesize
1.5MB

Download
memory/5064-283-0x0000000007EE0000-0x00000000080E7000-memory.dmp

Filesize
2.0MB

Download
memory/5064-285-0x00000000081F0000-0x0000000008433000-memory.dmp

Filesize
2.3MB

Download
memory/5064-287-0x00000000061B0000-0x00000000061BE000-memory.dmp

Filesize
56KB

Download
memory/5064-288-0x00000000088C0000-0x000000000896C000-memory.dmp

Filesize
688KB

Download
memory/5064-290-0x0000000008A90000-0x0000000008AA0000-memory.dmp

Filesize
64KB

Download
memory/5064-231-0x0000000003870000-0x000000000389B000-memory.dmp

Filesize
172KB

Download