cobaltstrike | e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe
Size

27KB
MD5

115d47da2b4602a57a0ce5e6cedf0d40
SHA1

30b2edaca0d4d8098dbc225dd6d26e3a048b5a24
SHA256

e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7
SHA512

d56cd79fcb88a42f6487356b72b4029b108fd9fe5c8c82d4fd4c9dd4993638cf11adb55fad4987d94ca0763364feff1b90647f87e79e57768ae9ab8d02c8c236
SSDEEP

384:rPNs6IOSB0Qgns0jfbwFz88AfeQ990P34Pkfj0eohDTkVOhvF27z/985K29T/7Ww:rPNs/OS6zcF48A2Q/0Q2C9yoYf

Score

10^/10

cobaltstrike joker backdoor bootkit discovery infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

joker

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Drops file in Drivers directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\kisknl.sys	kxescore.exe
File opened for modification	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\bc.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisknl.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe
File created	C:\Windows\system32\drivers\rsndisp.sys	install1968982.exe
File opened for modification	C:\Windows\system32\drivers\sysmon.sys	install1968982.exe
File created	C:\Windows\system32\drivers\sysmon.sys	install1968982.exe
File opened for modification	C:\Windows\system32\drivers\rsndisp.sys	install1968982.exe
File opened for modification	C:\Windows\system32\drivers\bc.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksapi.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\rsutils.sys	install1968982.exe
File opened for modification	C:\Windows\system32\drivers\rsutils.sys	install1968982.exe

Executes dropped EXE 14 IoCs

pid	Process
844	duba_1_244.exe
2744	kavlog2.exe
4176	kxetray.exe
892	kxescore.exe
932	kislive.exe
3476	kxescore.exe
4944	install1968982.exe
3496	kwsprotect64.exe
4800	RsMgrSvc.exe
3752	popwndexe.exe
1732	ravmond.exe
4976	ravmond.exe
2348	Process not Found
2560	Process not Found

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe

Sets file execution options in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVLOG2.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCOMREGSVRV8.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KDRVMGR.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISMAIN.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KRECYCLE.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISADDIN.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXETRAY.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXESCORE.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UNINST.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSCAN.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISLIVE.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISCALL.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSIGNSP.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSETUPWIZ.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe	duba_1_244.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kisknl\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\kisknl.sys"	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\kisknl\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\kisknl.sys"	kxescore.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2392-132-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2392-133-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/files/0x0003000000000703-135.dat	upx
behavioral2/files/0x0003000000000703-136.dat	upx
behavioral2/memory/844-137-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral2/memory/844-245-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral2/memory/4944-258-0x0000000000400000-0x0000000000600000-memory.dmp	upx
behavioral2/memory/844-263-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral2/memory/2392-282-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4944-342-0x0000000000400000-0x0000000000600000-memory.dmp	upx
behavioral2/memory/4944-409-0x0000000000400000-0x0000000000600000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe

Loads dropped DLL 64 IoCs

pid	Process
844	duba_1_244.exe
2744	kavlog2.exe
2744	kavlog2.exe
2744	kavlog2.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
932	kislive.exe
932	kislive.exe
932	kislive.exe
4176	kxetray.exe
4176	kxetray.exe
892	kxescore.exe
892	kxescore.exe
4176	kxetray.exe
4176	kxetray.exe
3476	kxescore.exe
3476	kxescore.exe
4176	kxetray.exe
4176	kxetray.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
932	kislive.exe
932	kislive.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
932	kislive.exe
932	kislive.exe
4176	kxetray.exe
4176	kxetray.exe
3476	kxescore.exe
3476	kxescore.exe
4176	kxetray.exe
4176	kxetray.exe
3476	kxescore.exe
3476	kxescore.exe
4176	kxetray.exe
4176	kxetray.exe
3476	kxescore.exe
3476	kxescore.exe
4176	kxetray.exe
4176	kxetray.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe
3476	kxescore.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RSDTRAY = "\"C:\\Program Files (x86)\\Rising\\RSD\\popwndexe.exe\""	install1968982.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_1_244.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_1_244.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\desktop.ini	install1968982.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	kxetray.exe
File opened (read-only)	\??\L:	kxetray.exe
File opened (read-only)	\??\R:	kxetray.exe
File opened (read-only)	\??\Y:	kxetray.exe
File opened (read-only)	\??\E:	kxetray.exe
File opened (read-only)	\??\K:	kxetray.exe
File opened (read-only)	\??\N:	kxetray.exe
File opened (read-only)	\??\O:	kxetray.exe
File opened (read-only)	\??\V:	kxetray.exe
File opened (read-only)	\??\W:	kxetray.exe
File opened (read-only)	\??\F:	kxetray.exe
File opened (read-only)	\??\G:	kxetray.exe
File opened (read-only)	\??\P:	kxetray.exe
File opened (read-only)	\??\Q:	kxetray.exe
File opened (read-only)	\??\S:	kxetray.exe
File opened (read-only)	\??\T:	kxetray.exe
File opened (read-only)	\??\X:	kxetray.exe
File opened (read-only)	\??\D:	kxetray.exe
File opened (read-only)	\??\I:	kxetray.exe
File opened (read-only)	\??\J:	kxetray.exe
File opened (read-only)	\??\M:	kxetray.exe
File opened (read-only)	\??\U:	kxetray.exe
File opened (read-only)	\??\Z:	kxetray.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	duba_1_244.exe
File opened for modification	\??\PhysicalDrive0	install1968982.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\KAVEventLog.EVT	kavlog2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx	duba_1_244.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.log	kislive.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\NetConfig.ini	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\cloudnet.dll	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdh.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kpld.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\kcom_kwifitool\index.txt	kislive.exe
File created	C:\Program Files (x86)\Rising\RSD\update.xml	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\XMLS\CLOUDQRY.xml	install1968982.exe
File opened for modification	C:\Program Files (x86)\RsTest.ini	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\localopt.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\XMLS\LICENSE.xml	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\kcom_kvm2\index.dat	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\xlmodule\download\msvcp71.dll.z	kxetray.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\download_engine.dll	kxetray.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\updater.exe	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwrcmd.dat	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetraynormal.dat	kxetray.exe
File created	C:\Program Files (x86)\Rising\RAV\XMLS\RAVCONFIG.xml	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwssp.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsui.dll	duba_1_244.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\comx3.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\RsBaseNetWrapper.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\antipromotionmon.dll	install1968982.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\ksysoptak47_tmp.dat_t	kxetray.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kws_init.log	kxescore.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\rscurl.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\rslog.dll	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\Cloudv3.dll	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\2.jpg	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\kcom_commonfast\index.txt	kislive.exe
File created	C:\Program Files (x86)\Rising\RAV\rav936\chs.lag	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\xlmodule\download\xlbughandler.dll.z	kxetray.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\RsStub.exe	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kclearpanel.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyprot.dll	duba_1_244.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\setup.dat	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\Label.dat	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\bc.sys	duba_1_244.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\XMLS\RAVMAINDUI.xml	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\virlib\virlib.cfg	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\security\kxescan\kanthack.dll	kxetray.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\rscombas.dll	install1968982.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kxetray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kxetray.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4396	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ravmond.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ravmond.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ravmond.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ravmond.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcInfo = "1667721843"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\rstrayexe = "jz0xDjW4J006WCI/e1s2T1Y="	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\RAV = "jz0xDjW4B38Yww=="	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\ravmonexe = "jz0xDjW4J184RywoMRArUiYh"	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\InstallPath = "jz0xDjW4cG4cZQQUFHMKYxFjCWwnWSooMmIcaxUI"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcDll = "1699344243"	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	duba_1_244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "1423918441"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "owwh5oeb4r59arj4nknsh4heosxj"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\ProcKey = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\Title = "jz0xDjW4nc6e7fP0nZWGx/-4xg=="	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\monServerName = "jz0xDjW4B00cSzULOlBW"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\regtray = "jz0xDjW4B184fhEHDFc="	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "d4f3f3e665b252741d82bef49126387d"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\monShowName = "jz0xDjW4B184ChAjJ0gnSSZc"	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}\ProcID = "{C4A36638-6464-1B29-3030-303133000000}"	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE82F604-65FC-4692-9D6E-3014CA28B8D6}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	duba_1_244.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "1423918441"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F6F795A-6457-4603-A561-684CF512AC68}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "owwh5oeb4r59arj4nknsh4heosxj"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	duba_1_244.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcKind = "5"	install1968982.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 1900000001000000100000002ee0c890fdcb0441fa180c6834858995030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kxetray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
844	duba_1_244.exe
844	duba_1_244.exe
3476	kxescore.exe
3476	kxescore.exe
4176	kxetray.exe
4176	kxetray.exe
3476	kxescore.exe
3476	kxescore.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4944	install1968982.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
3752	popwndexe.exe
3752	popwndexe.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4976	ravmond.exe
4976	ravmond.exe
4976	ravmond.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	duba_1_244.exe
Token: SeDebugPrivilege	932	kislive.exe
Token: SeDebugPrivilege	844	duba_1_244.exe
Token: SeDebugPrivilege	3476	kxescore.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	3476	kxescore.exe
Token: SeIncBasePriorityPrivilege	3476	kxescore.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeBackupPrivilege	4800	RsMgrSvc.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4944	install1968982.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4176	kxetray.exe
Token: SeIncBasePriorityPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe
Token: SeIncBasePriorityPrivilege	4976	ravmond.exe
Token: SeDebugPrivilege	4176	kxetray.exe
Token: 33	4976	ravmond.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4176	kxetray.exe
4176	kxetray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3496	kwsprotect64.exe
3496	kwsprotect64.exe
4176	kxetray.exe
4176	kxetray.exe
4176	kxetray.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 844	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	88
PID 2392 wrote to memory of 844	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	88
PID 2392 wrote to memory of 844	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	88
PID 844 wrote to memory of 2744	844	duba_1_244.exe	90
PID 844 wrote to memory of 2744	844	duba_1_244.exe	90
PID 844 wrote to memory of 2744	844	duba_1_244.exe	90
PID 844 wrote to memory of 4176	844	duba_1_244.exe	91
PID 844 wrote to memory of 4176	844	duba_1_244.exe	91
PID 844 wrote to memory of 4176	844	duba_1_244.exe	91
PID 844 wrote to memory of 892	844	duba_1_244.exe	92
PID 844 wrote to memory of 892	844	duba_1_244.exe	92
PID 844 wrote to memory of 892	844	duba_1_244.exe	92
PID 844 wrote to memory of 932	844	duba_1_244.exe	93
PID 844 wrote to memory of 932	844	duba_1_244.exe	93
PID 844 wrote to memory of 932	844	duba_1_244.exe	93
PID 2392 wrote to memory of 4944	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	97
PID 2392 wrote to memory of 4944	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	97
PID 2392 wrote to memory of 4944	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	97
PID 2392 wrote to memory of 3792	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	98
PID 2392 wrote to memory of 3792	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	98
PID 2392 wrote to memory of 3792	2392	e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe	98
PID 3792 wrote to memory of 4396	3792	cmd.exe	100
PID 3792 wrote to memory of 4396	3792	cmd.exe	100
PID 3792 wrote to memory of 4396	3792	cmd.exe	100
PID 4176 wrote to memory of 3496	4176	kxetray.exe	101
PID 4176 wrote to memory of 3496	4176	kxetray.exe	101
PID 4944 wrote to memory of 3752	4944	install1968982.exe	103
PID 4944 wrote to memory of 3752	4944	install1968982.exe	103
PID 4944 wrote to memory of 3752	4944	install1968982.exe	103
PID 4944 wrote to memory of 2036	4944	install1968982.exe	105
PID 4944 wrote to memory of 2036	4944	install1968982.exe	105
PID 4944 wrote to memory of 1732	4944	install1968982.exe	106
PID 4944 wrote to memory of 1732	4944	install1968982.exe	106
PID 4944 wrote to memory of 1732	4944	install1968982.exe	106

C:\Users\Admin\AppData\Local\Temp\e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe
"C:\Users\Admin\AppData\Local\Temp\e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2744
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe
      "kwsprotect64.exe" (null)
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3496
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:892
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe" /autorun /std /skipcs3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Program Files (x86)\Rising\RSD\popwndexe.exe
    "C:\Program Files (x86)\Rising\RSD\popwndexe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3752
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s RavExt64.dll
    3⤵
    PID:2036
- - C:\Program Files (x86)\Rising\RAV\ravmond.exe
    "C:\Program Files (x86)\Rising\RAV\ravmond.exe" -srv setup /SLIENCE
    3⤵
    - Executes dropped EXE
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4396

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe
"C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Program Files (x86)\Rising\RAV\ravmond.exe
"C:\Program Files (x86)\Rising\RAV\ravmond.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe

Filesize
511KB

MD5
dd1443f153f7cf554addb404aff623f8

SHA1
893f24f463d03b3b19e952b85ae06daffcc466d1

SHA256
b943b7e8cdb2decca1eaf2db1683a670fc72024be8eb95f9308adec8abc50887

SHA512
6fc1062f258684a20fce9fff8cf0ee88218aca1bb2e65c4a07f6ac7624fc1536e267538ec35f37d2356eec37258f29c13203d55a6e477d1231a5f5e8e6cd19bd

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll

Filesize
69KB

MD5
c8ed4b3af03d82cc3fe2f8c42c22326c

SHA1
78a2e216262b8f1b35e408685cf20f2fa4685d8f

SHA256
1c73f57c31845d3719644f815ca9df1efb18cfc3dfc2dc1b4afddb71261afb31

SHA512
34e6cf09afa68875be24005f90be35bb7c490ac9d2f63befadfdd1902136c383ee903442c9df572e2ccd0b7ea1be10857401c76c5b6923c28f8eaecab5b3c45c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kdgui2.dll

Filesize
2.3MB

MD5
a92d18cc7a99aec1d883e8b9d0672173

SHA1
8a166811d6f054526fbcd52871e76741544b2df0

SHA256
68f3b9c0125020054e0feec30c533ff9880172bb1e5f70f97060a2c4f932a27f

SHA512
8b3cac48c0f0e82c0865f9af0efc032682f3f4e2cf90f498a1fbbe3f57254a3efd27e46d0e9f8340a4c8a5f717511e69ad0e6f0fb04de52102412fc5cbef77a1

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kdgui2.dll

Filesize
2.3MB

MD5
a92d18cc7a99aec1d883e8b9d0672173

SHA1
8a166811d6f054526fbcd52871e76741544b2df0

SHA256
68f3b9c0125020054e0feec30c533ff9880172bb1e5f70f97060a2c4f932a27f

SHA512
8b3cac48c0f0e82c0865f9af0efc032682f3f4e2cf90f498a1fbbe3f57254a3efd27e46d0e9f8340a4c8a5f717511e69ad0e6f0fb04de52102412fc5cbef77a1

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\keasyipcn.dll

Filesize
103KB

MD5
3586625614c996cc260a2a152ab8f1b0

SHA1
f154aef164edbd7c662797240c679ecadc7161be

SHA256
5351deba22337bd76478f9c1b90d064967dc3dbd122fb6c648a1fc3790c45ced

SHA512
ad0c714bfc1cd319d54447c18337f7273e35789b66e533003844a5322d2647f5dedd6b7eab8c4922bd466d51264b88a242efffe254384cae745821e38fb4d8d0

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\keasyipcn.dll

Filesize
103KB

MD5
3586625614c996cc260a2a152ab8f1b0

SHA1
f154aef164edbd7c662797240c679ecadc7161be

SHA256
5351deba22337bd76478f9c1b90d064967dc3dbd122fb6c648a1fc3790c45ced

SHA512
ad0c714bfc1cd319d54447c18337f7273e35789b66e533003844a5322d2647f5dedd6b7eab8c4922bd466d51264b88a242efffe254384cae745821e38fb4d8d0

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
1.6MB

MD5
fccdf488e36b66678a93cca1648bf0ef

SHA1
a6347d6ab64ca8f4481cf4a4eb3751cbfd7e6811

SHA256
bdf2621ffb574ff98c82e57060d9c9a41b0501499211ac0e85edea569eb3cbcf

SHA512
c1a4f17a8aa0347cb99fdbee8c3903de22fe38dbcbfa113340ab25e7f742ee7792846327a30e499eaeeff5217a8b3097af0a5fe5ce88ec2d518e2f151f81c792

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
1.6MB

MD5
fccdf488e36b66678a93cca1648bf0ef

SHA1
a6347d6ab64ca8f4481cf4a4eb3751cbfd7e6811

SHA256
bdf2621ffb574ff98c82e57060d9c9a41b0501499211ac0e85edea569eb3cbcf

SHA512
c1a4f17a8aa0347cb99fdbee8c3903de22fe38dbcbfa113340ab25e7f742ee7792846327a30e499eaeeff5217a8b3097af0a5fe5ce88ec2d518e2f151f81c792

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe

Filesize
1.1MB

MD5
04eeb71a179940aca8073ddaa5bf4350

SHA1
02f7c99c4a2784b2db466b20c6e9c02cccc733b6

SHA256
acd8f6de1355fa40d4703149eeae1887c3f4ee0474f65c7aa257db38924e1385

SHA512
049a164a916863f037f88288faab7ce6f92d555fac4e819d6b79ed787c583f0a0d821ef173440c481f4d2a39ee1547437c6471e2e2b37cf53ad6701ede452f21

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll

Filesize
213KB

MD5
1dd2c3ecae68a35cde2d586aa24e0f25

SHA1
600f6a6af5b43a00c5ddd040a79afbeadba053cf

SHA256
905fbcb0f93015941e884bd37b5d196788bc4422919fead4be12fbfd42fb5440

SHA512
237f5623042dfab544458847cebe1a5f95bf83165d6155086378976b1082d7709b0fe8379ba15fff8ea39664ffe67546719983d27ce3e82cec6ac667e0f78145

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
165KB

MD5
8086981942ab9ac3452c7849a22ee8d3

SHA1
3c5ec53f218104723d5ad4cd43f78820fd91c51c

SHA256
9b1630cecc04db55dde9ae0ab1b7165224e3b4317a7ff4df4eb1cc254ffd0bd2

SHA512
d6884dc41f0a880a2dfc0198c7a4cc200e93345e19b52586520cb50bdf3e2ac8b0ecad7c4297120e2c3f48ab74973a414e332ffaa7112fcd3c057f3758625a97

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
165KB

MD5
8086981942ab9ac3452c7849a22ee8d3

SHA1
3c5ec53f218104723d5ad4cd43f78820fd91c51c

SHA256
9b1630cecc04db55dde9ae0ab1b7165224e3b4317a7ff4df4eb1cc254ffd0bd2

SHA512
d6884dc41f0a880a2dfc0198c7a4cc200e93345e19b52586520cb50bdf3e2ac8b0ecad7c4297120e2c3f48ab74973a414e332ffaa7112fcd3c057f3758625a97

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll

Filesize
169KB

MD5
c1319f00e5b0ec32b8bcfccd2ed5968c

SHA1
4d6a138afb8c43981b0e448132b139f52de52ad9

SHA256
ab90f450bda31298fc111d30e8803e68d59b5c0ea4da99c89b478b5a9c02a0bf

SHA512
5c901037de21be5ede80fccdf74258e22c576e518b93ac996d30f62c33a5fd21701f4e95cc21e01d3d7e3efb4c359b89554a553ffad732c354b97a70972171fb

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll

Filesize
816KB

MD5
53de7a10d35eb29067271ac7b7b290f0

SHA1
a90dbc5ac916171f0c79e617012945f020382137

SHA256
8a19b8ea0aa65e41911a9f411cf93b9555ce5a8e308f5b37fc124e312b562938

SHA512
c0e1d557adcce95697c83cb5521f72d62f3f3bc77c4bd46aab32070bb796c33b4d09d9399fb969ed5af8dedd0f2b6b917fd36355d17d5a922a2200fb39795892

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll

Filesize
816KB

MD5
53de7a10d35eb29067271ac7b7b290f0

SHA1
a90dbc5ac916171f0c79e617012945f020382137

SHA256
8a19b8ea0aa65e41911a9f411cf93b9555ce5a8e308f5b37fc124e312b562938

SHA512
c0e1d557adcce95697c83cb5521f72d62f3f3bc77c4bd46aab32070bb796c33b4d09d9399fb969ed5af8dedd0f2b6b917fd36355d17d5a922a2200fb39795892

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxecore\kxecore.dll

Filesize
550KB

MD5
8565494bb60368adba1b1400fecc362a

SHA1
b6727a439521118b68697c29509d99bedd71800c

SHA256
2eca3bf8c73371ce181bdd3bede07ee3c319a240df3ab18cb65fed590f6170fb

SHA512
81d56323f5e0cdeed5dcc8163813736183f6495a1a2e16a56ef9543a29a8e28ba00ca814ce145a398bae9291e29242aa4b9c2081a84192db73cac0320ec6f8e8

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
479263a138a81ac646a04a7ca1060821

SHA1
7bdd2ab8f03fd82d9c8e4e3c9af9ea1a365cd6d3

SHA256
bcd9860da984d0cf04a7ddbe7586c9b0d7207864abe203e80ade6f386d83b36d

SHA512
136121c3f1db93788021e910df1308ced47072a2a076e6d68773a5a1795ca62a075bf3d21dd318ce185dc7ddb6336c5300a71866f5c32f64a69e80931dea63d7

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
479263a138a81ac646a04a7ca1060821

SHA1
7bdd2ab8f03fd82d9c8e4e3c9af9ea1a365cd6d3

SHA256
bcd9860da984d0cf04a7ddbe7586c9b0d7207864abe203e80ade6f386d83b36d

SHA512
136121c3f1db93788021e910df1308ced47072a2a076e6d68773a5a1795ca62a075bf3d21dd318ce185dc7ddb6336c5300a71866f5c32f64a69e80931dea63d7

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
166KB

MD5
170899a660d5d4a350edf80c77334136

SHA1
8119313e8a998ad83ee6a13ef88b6fa1c2a0fcae

SHA256
3672f758b4e875a66b2d95721c89a5ddd7d0eef27b10db254f321041c9f6cf43

SHA512
a87f2fe159f5cae36feda263f10473c7a0df0ddb5c4b82ded1d55b43d4223a4d03ce2a5b7254400d89cff2583f28c793dad2e8cc19cf98a54c42644f08ff7fd3

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\scom.dll

Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kfcdetect.dll

Filesize
1.1MB

MD5
caa41aadf7e40886e0715d3f69cc70ad

SHA1
322d99ed0063d204e4ce6755d55cc95420aa4986

SHA256
3f93a2d349b9814f3cedac8b5fe6c7eff1dcb65a85e45d02677831ad34585a0f

SHA512
62e35e2340b2d541340a1c55714f1419a9fdceab341e190999f312c6d24f45385c719baaa6576a89bac24e2f07dd5559a2e38a870bcb94e0a0c4005e6f4bc4fa

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kfcdetect.dll

Filesize
1.1MB

MD5
caa41aadf7e40886e0715d3f69cc70ad

SHA1
322d99ed0063d204e4ce6755d55cc95420aa4986

SHA256
3f93a2d349b9814f3cedac8b5fe6c7eff1dcb65a85e45d02677831ad34585a0f

SHA512
62e35e2340b2d541340a1c55714f1419a9fdceab341e190999f312c6d24f45385c719baaa6576a89bac24e2f07dd5559a2e38a870bcb94e0a0c4005e6f4bc4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCP80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCR80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\config.ini

Filesize
520B

MD5
4ae3bd84656ce40edeaa5fc46e16c428

SHA1
d247b020187d1cdcf7e8ddd5e63e42f1bba9e968

SHA256
cade0f424f925ae5403bff30338d1ae37670b09336ce53c7d0d45008d61412b9

SHA512
682ee7229018abf0d5e1eeccb2a09d14a3233271045eb8fff51d4239e42a15c81dec5906a3696ec3a41bf2acfc46252dffd9891abde37868510b8e8e0b16b791

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\shrink_skin_config.ini

Filesize
152B

MD5
23f1c4d330b46f3b1cdb15f0ebf403f0

SHA1
ba131eeb07ec9f03291355587e71a6cda08fb207

SHA256
460a5926d2d99a52022e312754b160ae1c6e8def3e4a43069f44608199ba7f68

SHA512
90b8c990cd841e2180de72ebf4445a6aeabda48ae862c7526170b09d264858ede86ac5c47acc68d83266441662390bf17b001d993ad859923665167535a916f6

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe

Filesize
511KB

MD5
dd1443f153f7cf554addb404aff623f8

SHA1
893f24f463d03b3b19e952b85ae06daffcc466d1

SHA256
b943b7e8cdb2decca1eaf2db1683a670fc72024be8eb95f9308adec8abc50887

SHA512
6fc1062f258684a20fce9fff8cf0ee88218aca1bb2e65c4a07f6ac7624fc1536e267538ec35f37d2356eec37258f29c13203d55a6e477d1231a5f5e8e6cd19bd

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdgui2.dll

Filesize
2.3MB

MD5
a92d18cc7a99aec1d883e8b9d0672173

SHA1
8a166811d6f054526fbcd52871e76741544b2df0

SHA256
68f3b9c0125020054e0feec30c533ff9880172bb1e5f70f97060a2c4f932a27f

SHA512
8b3cac48c0f0e82c0865f9af0efc032682f3f4e2cf90f498a1fbbe3f57254a3efd27e46d0e9f8340a4c8a5f717511e69ad0e6f0fb04de52102412fc5cbef77a1

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\keasyipcn.dll

Filesize
103KB

MD5
3586625614c996cc260a2a152ab8f1b0

SHA1
f154aef164edbd7c662797240c679ecadc7161be

SHA256
5351deba22337bd76478f9c1b90d064967dc3dbd122fb6c648a1fc3790c45ced

SHA512
ad0c714bfc1cd319d54447c18337f7273e35789b66e533003844a5322d2647f5dedd6b7eab8c4922bd466d51264b88a242efffe254384cae745821e38fb4d8d0

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
1.6MB

MD5
fccdf488e36b66678a93cca1648bf0ef

SHA1
a6347d6ab64ca8f4481cf4a4eb3751cbfd7e6811

SHA256
bdf2621ffb574ff98c82e57060d9c9a41b0501499211ac0e85edea569eb3cbcf

SHA512
c1a4f17a8aa0347cb99fdbee8c3903de22fe38dbcbfa113340ab25e7f742ee7792846327a30e499eaeeff5217a8b3097af0a5fe5ce88ec2d518e2f151f81c792

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe

Filesize
1.1MB

MD5
04eeb71a179940aca8073ddaa5bf4350

SHA1
02f7c99c4a2784b2db466b20c6e9c02cccc733b6

SHA256
acd8f6de1355fa40d4703149eeae1887c3f4ee0474f65c7aa257db38924e1385

SHA512
049a164a916863f037f88288faab7ce6f92d555fac4e819d6b79ed787c583f0a0d821ef173440c481f4d2a39ee1547437c6471e2e2b37cf53ad6701ede452f21

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll

Filesize
213KB

MD5
1dd2c3ecae68a35cde2d586aa24e0f25

SHA1
600f6a6af5b43a00c5ddd040a79afbeadba053cf

SHA256
905fbcb0f93015941e884bd37b5d196788bc4422919fead4be12fbfd42fb5440

SHA512
237f5623042dfab544458847cebe1a5f95bf83165d6155086378976b1082d7709b0fe8379ba15fff8ea39664ffe67546719983d27ce3e82cec6ac667e0f78145

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
165KB

MD5
8086981942ab9ac3452c7849a22ee8d3

SHA1
3c5ec53f218104723d5ad4cd43f78820fd91c51c

SHA256
9b1630cecc04db55dde9ae0ab1b7165224e3b4317a7ff4df4eb1cc254ffd0bd2

SHA512
d6884dc41f0a880a2dfc0198c7a4cc200e93345e19b52586520cb50bdf3e2ac8b0ecad7c4297120e2c3f48ab74973a414e332ffaa7112fcd3c057f3758625a97

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll

Filesize
169KB

MD5
c1319f00e5b0ec32b8bcfccd2ed5968c

SHA1
4d6a138afb8c43981b0e448132b139f52de52ad9

SHA256
ab90f450bda31298fc111d30e8803e68d59b5c0ea4da99c89b478b5a9c02a0bf

SHA512
5c901037de21be5ede80fccdf74258e22c576e518b93ac996d30f62c33a5fd21701f4e95cc21e01d3d7e3efb4c359b89554a553ffad732c354b97a70972171fb

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll

Filesize
816KB

MD5
53de7a10d35eb29067271ac7b7b290f0

SHA1
a90dbc5ac916171f0c79e617012945f020382137

SHA256
8a19b8ea0aa65e41911a9f411cf93b9555ce5a8e308f5b37fc124e312b562938

SHA512
c0e1d557adcce95697c83cb5521f72d62f3f3bc77c4bd46aab32070bb796c33b4d09d9399fb969ed5af8dedd0f2b6b917fd36355d17d5a922a2200fb39795892

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxecore\kxecore.dll

Filesize
550KB

MD5
8565494bb60368adba1b1400fecc362a

SHA1
b6727a439521118b68697c29509d99bedd71800c

SHA256
2eca3bf8c73371ce181bdd3bede07ee3c319a240df3ab18cb65fed590f6170fb

SHA512
81d56323f5e0cdeed5dcc8163813736183f6495a1a2e16a56ef9543a29a8e28ba00ca814ce145a398bae9291e29242aa4b9c2081a84192db73cac0320ec6f8e8

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
479263a138a81ac646a04a7ca1060821

SHA1
7bdd2ab8f03fd82d9c8e4e3c9af9ea1a365cd6d3

SHA256
bcd9860da984d0cf04a7ddbe7586c9b0d7207864abe203e80ade6f386d83b36d

SHA512
136121c3f1db93788021e910df1308ced47072a2a076e6d68773a5a1795ca62a075bf3d21dd318ce185dc7ddb6336c5300a71866f5c32f64a69e80931dea63d7

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf

Filesize
87B

MD5
47f61d0f7bd830f5bfe72c3b65941fde

SHA1
d7f440877e23679fd2c480dff2b8f3219702d681

SHA256
eb09cf1094904f0d3038ce1e981fd4366eba4000c8b6f13a3dbbaefea4797e37

SHA512
d234f17af1440aba1a4f6c2b24d04fdeb3a685f25f391cdc1ac048dfed1b470689bed5b21d7b3db94f9186445932982f462bbee8af919c1a957ab89bd69e68f5

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kctrl.dat

Filesize
1KB

MD5
57e60b666f6c98a0b5ca1f1f7c01a2fa

SHA1
f478d9b50584bad36354b466841f485571064c5f

SHA256
2c3efa207ee854ce1c9f46bfa577a70818f820e90d2ab784725017c334448867

SHA512
fdbc5a5b2d4d134bcbe3651e5c1da6cb894f020cbcc15a2c016d96ea45d043ada5ca5628df993a8fd5e40bc1663ffe772b93682fd71c3b17f3d2db8590be3ec1

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx

Filesize
157KB

MD5
5e5d4efe2127670ca170e46ca673711b

SHA1
c95d1a8abe4fdbaf1d74c5044e0482463f47956e

SHA256
c840ad47829717a9f0855b7476b5fcf4c2f717d5e8475adba04a7d2c949db814

SHA512
f9a5d2fd02e0b1bcec3df3d1d811284ca4fdf1b7fc7b741b8fdcc22d339f21d19abde2da5d8ebb40946859ec1654be361d1b315dc7d392abb68b3d233c0cc980

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
166KB

MD5
170899a660d5d4a350edf80c77334136

SHA1
8119313e8a998ad83ee6a13ef88b6fa1c2a0fcae

SHA256
3672f758b4e875a66b2d95721c89a5ddd7d0eef27b10db254f321041c9f6cf43

SHA512
a87f2fe159f5cae36feda263f10473c7a0df0ddb5c4b82ded1d55b43d4223a4d03ce2a5b7254400d89cff2583f28c793dad2e8cc19cf98a54c42644f08ff7fd3

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.dll

Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kfcdetect.dll

Filesize
1.1MB

MD5
caa41aadf7e40886e0715d3f69cc70ad

SHA1
322d99ed0063d204e4ce6755d55cc95420aa4986

SHA256
3f93a2d349b9814f3cedac8b5fe6c7eff1dcb65a85e45d02677831ad34585a0f

SHA512
62e35e2340b2d541340a1c55714f1419a9fdceab341e190999f312c6d24f45385c719baaa6576a89bac24e2f07dd5559a2e38a870bcb94e0a0c4005e6f4bc4fa

Download Submit
memory/844-245-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/844-137-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/844-263-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/932-200-0x0000000002A00000-0x0000000002ACD000-memory.dmp

Filesize
820KB

Download
memory/932-166-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/2392-282-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2392-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2392-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3476-274-0x0000000006650000-0x000000000666C000-memory.dmp

Filesize
112KB

Download
memory/3476-276-0x00000000069B0000-0x00000000069F9000-memory.dmp

Filesize
292KB

Download
memory/3476-195-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/3476-255-0x0000000004930000-0x0000000004949000-memory.dmp

Filesize
100KB

Download
memory/3476-205-0x0000000001B90000-0x0000000001BBA000-memory.dmp

Filesize
168KB

Download
memory/3476-267-0x0000000005F50000-0x0000000006003000-memory.dmp

Filesize
716KB

Download
memory/3476-235-0x0000000002F00000-0x0000000003054000-memory.dmp

Filesize
1.3MB

Download
memory/3476-237-0x0000000003280000-0x0000000003294000-memory.dmp

Filesize
80KB

Download
memory/3476-238-0x00000000032A0000-0x00000000032B2000-memory.dmp

Filesize
72KB

Download
memory/3476-239-0x00000000032C0000-0x00000000032D8000-memory.dmp

Filesize
96KB

Download
memory/3476-217-0x0000000001BC0000-0x0000000001BEB000-memory.dmp

Filesize
172KB

Download
memory/3476-241-0x00000000032E0000-0x00000000032FA000-memory.dmp

Filesize
104KB

Download
memory/3476-247-0x0000000004AA0000-0x0000000004BC2000-memory.dmp

Filesize
1.1MB

Download
memory/3476-254-0x0000000004931000-0x000000000493F000-memory.dmp

Filesize
56KB

Download
memory/3476-224-0x0000000001BB1000-0x0000000001BBB000-memory.dmp

Filesize
40KB

Download
memory/3476-271-0x0000000006150000-0x000000000616C000-memory.dmp

Filesize
112KB

Download
memory/4176-278-0x0000000009BE0000-0x0000000009BF0000-memory.dmp

Filesize
64KB

Download
memory/4176-180-0x00000000028F0000-0x0000000002B58000-memory.dmp

Filesize
2.4MB

Download
memory/4176-251-0x0000000005320000-0x00000000054A1000-memory.dmp

Filesize
1.5MB

Download
memory/4176-256-0x0000000008810000-0x0000000008A3E000-memory.dmp

Filesize
2.2MB

Download
memory/4176-223-0x00000000036F0000-0x000000000371B000-memory.dmp

Filesize
172KB

Download
memory/4176-259-0x0000000009400000-0x000000000945F000-memory.dmp

Filesize
380KB

Download
memory/4176-261-0x0000000009AE0000-0x0000000009B19000-memory.dmp

Filesize
228KB

Download
memory/4176-213-0x0000000003780000-0x00000000038A2000-memory.dmp

Filesize
1.1MB

Download
memory/4176-264-0x0000000009D00000-0x0000000009F36000-memory.dmp

Filesize
2.2MB

Download
memory/4176-266-0x0000000006470000-0x000000000647E000-memory.dmp

Filesize
56KB

Download
memory/4176-249-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4176-268-0x000000000A140000-0x000000000A1F9000-memory.dmp

Filesize
740KB

Download
memory/4176-243-0x00000000048B0000-0x00000000048BA000-memory.dmp

Filesize
40KB

Download
memory/4176-219-0x00000000036C0000-0x00000000036EA000-memory.dmp

Filesize
168KB

Download
memory/4176-246-0x00000000048D0000-0x00000000048D5000-memory.dmp

Filesize
20KB

Download
memory/4176-188-0x0000000002B60000-0x0000000002B78000-memory.dmp

Filesize
96KB

Download
memory/4176-279-0x000000000AED0000-0x000000000AEE4000-memory.dmp

Filesize
80KB

Download
memory/4176-244-0x00000000048C0000-0x00000000048C3000-memory.dmp

Filesize
12KB

Download
memory/4176-242-0x00000000048A0000-0x00000000048A9000-memory.dmp

Filesize
36KB

Download
memory/4176-170-0x0000000002750000-0x00000000028E3000-memory.dmp

Filesize
1.6MB

Download
memory/4944-342-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/4944-258-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/4944-409-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download