cobaltstrike | 790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
Size

26KB
MD5

0f9b981d348df5e559eeb65ff6f94db0
SHA1

6e7bfc51cdbb6a3360d04e3bf01f39a5611d7581
SHA256

790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4
SHA512

7064ea627a92e3904b6789f43cc592c8cebee4428e2d9a9d9f3f68f0ad6fc3bcba5cf1d9bde304ffc29545fc68f694e0c9a343d500825fe84fabc43287d7a75e
SSDEEP

384:r6NhPbj62Tj9xec1JmLfBY5vX0kda6j0eohDTkVOhvF27z/FUxiWtBlwmRz:rem2Tbar+f0Ua6C9yoYf

Score

10^/10

cobaltstrike joker backdoor bootkit discovery infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

joker

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Drops file in Drivers directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\kisknl64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\rsutils.sys	install1968982.exe
File opened for modification	C:\Windows\system32\drivers\rsutils.sys	install1968982.exe
File opened for modification	C:\Windows\system32\drivers\bc.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	duba_1_244.exe
File opened for modification	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe
File created	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe
File created	C:\Windows\system32\drivers\sysmon.sys	install1968982.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisknl.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	duba_1_244.exe
File opened for modification	C:\Windows\SysWOW64\drivers\kisknl.sys	kxescore.exe
File opened for modification	C:\Windows\system32\drivers\sysmon.sys	install1968982.exe
File created	C:\Windows\system32\drivers\bc.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksapi.sys	duba_1_244.exe
File opened for modification	C:\Windows\system32\drivers\rsndisp.sys	install1968982.exe
File created	C:\Windows\system32\drivers\rsndisp.sys	install1968982.exe

Executes dropped EXE 15 IoCs

pid	Process
3696	duba_1_244.exe
3868	kavlog2.exe
1756	kxetray.exe
752	kxescore.exe
4628	kislive.exe
1248	kxescore.exe
1492	kxetray.exe
4980	kwsprotect64.exe
2304	install1968982.exe
412	RsMgrSvc.exe
4984	popwndexe.exe
2888	Process not Found
2724	Process not Found
2404	ravmond.exe
4972	ravmond.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe

Sets file execution options in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISLIVE.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXETRAY.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSIGNSP.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCOMREGSVRV8.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSETUPWIZ.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSCAN.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KRECYCLE.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UNINST.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISCALL.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KDRVMGR.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISADDIN.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISMAIN.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KXESCORE.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVLOG2.EXE	duba_1_244.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kisknl\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\kisknl.sys"	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\kisknl\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\kisknl.sys"	kxescore.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2672-132-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/files/0x0002000000021835-135.dat	upx
behavioral2/files/0x0002000000021835-134.dat	upx
behavioral2/memory/3696-136-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral2/memory/3696-255-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral2/memory/3696-307-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral2/memory/2672-312-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2304-314-0x0000000000400000-0x0000000000600000-memory.dmp	upx
behavioral2/memory/2304-355-0x0000000000400000-0x0000000000600000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe

Loads dropped DLL 64 IoCs

pid	Process
3696	duba_1_244.exe
3868	kavlog2.exe
3868	kavlog2.exe
1756	kxetray.exe
1756	kxetray.exe
1756	kxetray.exe
752	kxescore.exe
752	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
4628	kislive.exe
4628	kislive.exe
4628	kislive.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
4628	kislive.exe
4628	kislive.exe
1492	kxetray.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
4628	kislive.exe
4628	kislive.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RSDTRAY = "\"C:\\Program Files (x86)\\Rising\\RSD\\popwndexe.exe\""	install1968982.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_1_244.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	duba_1_244.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\desktop.ini	install1968982.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	kxetray.exe
File opened (read-only)	\??\S:	kxetray.exe
File opened (read-only)	\??\T:	kxetray.exe
File opened (read-only)	\??\U:	kxetray.exe
File opened (read-only)	\??\V:	kxetray.exe
File opened (read-only)	\??\X:	kxetray.exe
File opened (read-only)	\??\D:	kxetray.exe
File opened (read-only)	\??\E:	kxetray.exe
File opened (read-only)	\??\F:	kxetray.exe
File opened (read-only)	\??\H:	kxetray.exe
File opened (read-only)	\??\N:	kxetray.exe
File opened (read-only)	\??\Y:	kxetray.exe
File opened (read-only)	\??\M:	kxetray.exe
File opened (read-only)	\??\O:	kxetray.exe
File opened (read-only)	\??\P:	kxetray.exe
File opened (read-only)	\??\G:	kxetray.exe
File opened (read-only)	\??\I:	kxetray.exe
File opened (read-only)	\??\J:	kxetray.exe
File opened (read-only)	\??\K:	kxetray.exe
File opened (read-only)	\??\L:	kxetray.exe
File opened (read-only)	\??\R:	kxetray.exe
File opened (read-only)	\??\W:	kxetray.exe
File opened (read-only)	\??\Z:	kxetray.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	install1968982.exe
File opened for modification	\??\PhysicalDrive0	duba_1_244.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\KAVEventLog.EVT	kavlog2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khandler.dll	duba_1_244.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kfcdetect.dll.log	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\kongqizhiliang_skin_img.png	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\config\ksesysfiles.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\whiteurl.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\scan_virus.png	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\data\index.txt	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\indexkav.txt	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\xlmodule\download\id.dat	kxetray.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\XMLS\_RAV.xml	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\XMLS\LICENSE.xml	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\quarantine.ini	duba_1_244.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgrindex.dat	kxetray.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdownloader.exe.rcmdtmp	kxetray.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\XMLS\CLOUDQRY.xml	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\syslay.dll	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sp3a.nlb	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\kcom_commonfast\index.dat	kislive.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\ui\snin.htm	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\lblocker.dll	duba_1_244.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgrproxy.exe	kxetray.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll	install1968982.exe
File created	C:\Program Files (x86)\Common Files\open.ini	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe	duba_1_244.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Setup.exe	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\url.ini	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\comx3.dll	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\antipromotionmon.dll	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kismain.ini	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\netbank.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\indexkcom_common.dat	kislive.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\hookbase.dll	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\security\kxescan\kdhacker.sys	kxetray.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\rscurl.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\RavSetup.dll	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\XMLS\RAVCONFIG.xml	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\uni0nst.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaearchb.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\indexdata.dat	kislive.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kanthack.dll	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf	duba_1_244.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\procinfo.dat	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\ksoftmgrengine.dll	kxetray.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond	install1968982.exe
File created	C:\Program Files (x86)\Rising\RAV\CompsVer.inf	install1968982.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\jijian_skin_img.png	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\recommendctrl.config	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ktool_update\kdownload\kav\data\ksoftmgrun.dat	kxetray.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\_RAV\setup.xml	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml	install1968982.exe
File opened for modification	C:\Program Files (x86)\Rising\RAV\Label.dat	install1968982.exe
File created	C:\Program Files (x86)\Rising\RSD\RSD950\CHT.lag	install1968982.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kxetray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kxetray.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1140	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ravmond.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ravmond.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ravmond.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ravmond.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE82F604-65FC-4692-9D6E-3014CA28B8D6}	kxetray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxescore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F6F795A-6457-4603-A561-684CF512AC68}	kxetray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\regtray = "qjBNnKfNFlEdKmBzHVk="	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\monShowName = "qjBNnKfNFlEdXmFXNkYCHVco"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "2a85a16caf521d11038ed265f04889fd"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcInfo = "1668040207"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\ravmonexe = "qjBNnKfNNlEdE11cIB4OBldV"	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\ProcKey = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\InstallPath = "qjBNnKfNYWA5MXVgBX0vN2AXGGICDVtcI2w5P2R8"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}\ProcID = "{1F6765B0-EFD8-1B29-3030-303133000000}"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcDll = "1699662607"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "akfhvkxrmacifnoqtwxye7qmdeqh"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcKind = "5"	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	duba_1_244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "857425514"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\rstrayexe = "qjBNnKfNNkMfDFNLalUTGyc="	install1968982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	duba_1_244.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "857425514"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "akfhvkxrmacifnoqtwxye7qmdeqh"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\RAV = "qjBNnKfNFnE9lw=="	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\Title = "qjBNnKfNjMC7uYKAjJujk47M1w=="	install1968982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\monServerName = "qjBNnKfNFkM5H0R/K15z"	install1968982.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 1900000001000000100000002ee0c890fdcb0441fa180c6834858995030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	kxetray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
3696	duba_1_244.exe
3696	duba_1_244.exe
1492	kxetray.exe
1492	kxetray.exe
1248	kxescore.exe
1248	kxescore.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	duba_1_244.exe
Token: SeDebugPrivilege	4628	kislive.exe
Token: SeDebugPrivilege	1248	kxescore.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	3696	duba_1_244.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: 33	1248	kxescore.exe
Token: SeIncBasePriorityPrivilege	1248	kxescore.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: 33	1492	kxetray.exe
Token: SeIncBasePriorityPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeBackupPrivilege	412	RsMgrSvc.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	2304	install1968982.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: SeDebugPrivilege	1492	kxetray.exe
Token: 33	4972	ravmond.exe
Token: SeIncBasePriorityPrivilege	4972	ravmond.exe
Token: SeDebugPrivilege	1492	kxetray.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1492	kxetray.exe
1492	kxetray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4980	kwsprotect64.exe
4980	kwsprotect64.exe
1492	kxetray.exe
1492	kxetray.exe
1492	kxetray.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3696	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	90
PID 2672 wrote to memory of 3696	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	90
PID 2672 wrote to memory of 3696	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	90
PID 3696 wrote to memory of 3868	3696	duba_1_244.exe	92
PID 3696 wrote to memory of 3868	3696	duba_1_244.exe	92
PID 3696 wrote to memory of 3868	3696	duba_1_244.exe	92
PID 3696 wrote to memory of 1756	3696	duba_1_244.exe	93
PID 3696 wrote to memory of 1756	3696	duba_1_244.exe	93
PID 3696 wrote to memory of 1756	3696	duba_1_244.exe	93
PID 3696 wrote to memory of 752	3696	duba_1_244.exe	94
PID 3696 wrote to memory of 752	3696	duba_1_244.exe	94
PID 3696 wrote to memory of 752	3696	duba_1_244.exe	94
PID 3696 wrote to memory of 4628	3696	duba_1_244.exe	95
PID 3696 wrote to memory of 4628	3696	duba_1_244.exe	95
PID 3696 wrote to memory of 4628	3696	duba_1_244.exe	95
PID 1756 wrote to memory of 1492	1756	kxetray.exe	98
PID 1756 wrote to memory of 1492	1756	kxetray.exe	98
PID 1756 wrote to memory of 1492	1756	kxetray.exe	98
PID 1492 wrote to memory of 4980	1492	kxetray.exe	100
PID 1492 wrote to memory of 4980	1492	kxetray.exe	100
PID 2672 wrote to memory of 2304	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	101
PID 2672 wrote to memory of 2304	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	101
PID 2672 wrote to memory of 2304	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	101
PID 2672 wrote to memory of 3020	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	103
PID 2672 wrote to memory of 3020	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	103
PID 2672 wrote to memory of 3020	2672	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	103
PID 3020 wrote to memory of 1140	3020	cmd.exe	104
PID 3020 wrote to memory of 1140	3020	cmd.exe	104
PID 3020 wrote to memory of 1140	3020	cmd.exe	104
PID 2304 wrote to memory of 4984	2304	install1968982.exe	107
PID 2304 wrote to memory of 4984	2304	install1968982.exe	107
PID 2304 wrote to memory of 4984	2304	install1968982.exe	107
PID 2304 wrote to memory of 948	2304	install1968982.exe	108
PID 2304 wrote to memory of 948	2304	install1968982.exe	108
PID 2304 wrote to memory of 2404	2304	install1968982.exe	109
PID 2304 wrote to memory of 2404	2304	install1968982.exe	109
PID 2304 wrote to memory of 2404	2304	install1968982.exe	109

C:\Users\Admin\AppData\Local\Temp\790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
"C:\Users\Admin\AppData\Local\Temp\790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:3868
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
      "c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmd
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Program Files directory
      Checks processor information in registry
      Modifies registry class
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1492
    - - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe
        
        "kwsprotect64.exe" (null)
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4980
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:752
- - \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
    "c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe" /autorun /std /skipcs3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files (x86)\Rising\RSD\popwndexe.exe
    "C:\Program Files (x86)\Rising\RSD\popwndexe.exe"
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s RavExt64.dll
    3⤵
    PID:948
- - C:\Program Files (x86)\Rising\RAV\ravmond.exe
    "C:\Program Files (x86)\Rising\RAV\ravmond.exe" -srv setup /SLIENCE
    3⤵
    - Executes dropped EXE
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM 790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1140

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe
"C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Program Files (x86)\Rising\RAV\ravmond.exe
"C:\Program Files (x86)\Rising\RAV\ravmond.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kingsoft\kingsoft antivirus\jsonv6.dll

Filesize
79KB

MD5
7b1072b86f352df690b9630a34d3da6d

SHA1
4a51d7fa99143e28630c490f79df94cb73f7ecba

SHA256
eeff91e865187d1dfebc3eda9f2fd710309efce434bd6e564a948796e678fb26

SHA512
6231c7eec532d904155f9565aae8221461b1871931ae33bdfdc88831f70136460edc147f2d109be7315f5400a1b3062b147580b0dcde7c9fe7288a786ad2f594

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\jsonv6.dll

Filesize
79KB

MD5
7b1072b86f352df690b9630a34d3da6d

SHA1
4a51d7fa99143e28630c490f79df94cb73f7ecba

SHA256
eeff91e865187d1dfebc3eda9f2fd710309efce434bd6e564a948796e678fb26

SHA512
6231c7eec532d904155f9565aae8221461b1871931ae33bdfdc88831f70136460edc147f2d109be7315f5400a1b3062b147580b0dcde7c9fe7288a786ad2f594

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe

Filesize
511KB

MD5
dd1443f153f7cf554addb404aff623f8

SHA1
893f24f463d03b3b19e952b85ae06daffcc466d1

SHA256
b943b7e8cdb2decca1eaf2db1683a670fc72024be8eb95f9308adec8abc50887

SHA512
6fc1062f258684a20fce9fff8cf0ee88218aca1bb2e65c4a07f6ac7624fc1536e267538ec35f37d2356eec37258f29c13203d55a6e477d1231a5f5e8e6cd19bd

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll

Filesize
69KB

MD5
c8ed4b3af03d82cc3fe2f8c42c22326c

SHA1
78a2e216262b8f1b35e408685cf20f2fa4685d8f

SHA256
1c73f57c31845d3719644f815ca9df1efb18cfc3dfc2dc1b4afddb71261afb31

SHA512
34e6cf09afa68875be24005f90be35bb7c490ac9d2f63befadfdd1902136c383ee903442c9df572e2ccd0b7ea1be10857401c76c5b6923c28f8eaecab5b3c45c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kdgui2.dll

Filesize
2.3MB

MD5
a92d18cc7a99aec1d883e8b9d0672173

SHA1
8a166811d6f054526fbcd52871e76741544b2df0

SHA256
68f3b9c0125020054e0feec30c533ff9880172bb1e5f70f97060a2c4f932a27f

SHA512
8b3cac48c0f0e82c0865f9af0efc032682f3f4e2cf90f498a1fbbe3f57254a3efd27e46d0e9f8340a4c8a5f717511e69ad0e6f0fb04de52102412fc5cbef77a1

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kdgui2.dll

Filesize
2.3MB

MD5
a92d18cc7a99aec1d883e8b9d0672173

SHA1
8a166811d6f054526fbcd52871e76741544b2df0

SHA256
68f3b9c0125020054e0feec30c533ff9880172bb1e5f70f97060a2c4f932a27f

SHA512
8b3cac48c0f0e82c0865f9af0efc032682f3f4e2cf90f498a1fbbe3f57254a3efd27e46d0e9f8340a4c8a5f717511e69ad0e6f0fb04de52102412fc5cbef77a1

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
1.6MB

MD5
fccdf488e36b66678a93cca1648bf0ef

SHA1
a6347d6ab64ca8f4481cf4a4eb3751cbfd7e6811

SHA256
bdf2621ffb574ff98c82e57060d9c9a41b0501499211ac0e85edea569eb3cbcf

SHA512
c1a4f17a8aa0347cb99fdbee8c3903de22fe38dbcbfa113340ab25e7f742ee7792846327a30e499eaeeff5217a8b3097af0a5fe5ce88ec2d518e2f151f81c792

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
1.6MB

MD5
fccdf488e36b66678a93cca1648bf0ef

SHA1
a6347d6ab64ca8f4481cf4a4eb3751cbfd7e6811

SHA256
bdf2621ffb574ff98c82e57060d9c9a41b0501499211ac0e85edea569eb3cbcf

SHA512
c1a4f17a8aa0347cb99fdbee8c3903de22fe38dbcbfa113340ab25e7f742ee7792846327a30e499eaeeff5217a8b3097af0a5fe5ce88ec2d518e2f151f81c792

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe

Filesize
1.1MB

MD5
04eeb71a179940aca8073ddaa5bf4350

SHA1
02f7c99c4a2784b2db466b20c6e9c02cccc733b6

SHA256
acd8f6de1355fa40d4703149eeae1887c3f4ee0474f65c7aa257db38924e1385

SHA512
049a164a916863f037f88288faab7ce6f92d555fac4e819d6b79ed787c583f0a0d821ef173440c481f4d2a39ee1547437c6471e2e2b37cf53ad6701ede452f21

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll

Filesize
213KB

MD5
1dd2c3ecae68a35cde2d586aa24e0f25

SHA1
600f6a6af5b43a00c5ddd040a79afbeadba053cf

SHA256
905fbcb0f93015941e884bd37b5d196788bc4422919fead4be12fbfd42fb5440

SHA512
237f5623042dfab544458847cebe1a5f95bf83165d6155086378976b1082d7709b0fe8379ba15fff8ea39664ffe67546719983d27ce3e82cec6ac667e0f78145

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
165KB

MD5
8086981942ab9ac3452c7849a22ee8d3

SHA1
3c5ec53f218104723d5ad4cd43f78820fd91c51c

SHA256
9b1630cecc04db55dde9ae0ab1b7165224e3b4317a7ff4df4eb1cc254ffd0bd2

SHA512
d6884dc41f0a880a2dfc0198c7a4cc200e93345e19b52586520cb50bdf3e2ac8b0ecad7c4297120e2c3f48ab74973a414e332ffaa7112fcd3c057f3758625a97

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
165KB

MD5
8086981942ab9ac3452c7849a22ee8d3

SHA1
3c5ec53f218104723d5ad4cd43f78820fd91c51c

SHA256
9b1630cecc04db55dde9ae0ab1b7165224e3b4317a7ff4df4eb1cc254ffd0bd2

SHA512
d6884dc41f0a880a2dfc0198c7a4cc200e93345e19b52586520cb50bdf3e2ac8b0ecad7c4297120e2c3f48ab74973a414e332ffaa7112fcd3c057f3758625a97

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll

Filesize
169KB

MD5
c1319f00e5b0ec32b8bcfccd2ed5968c

SHA1
4d6a138afb8c43981b0e448132b139f52de52ad9

SHA256
ab90f450bda31298fc111d30e8803e68d59b5c0ea4da99c89b478b5a9c02a0bf

SHA512
5c901037de21be5ede80fccdf74258e22c576e518b93ac996d30f62c33a5fd21701f4e95cc21e01d3d7e3efb4c359b89554a553ffad732c354b97a70972171fb

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll

Filesize
169KB

MD5
c1319f00e5b0ec32b8bcfccd2ed5968c

SHA1
4d6a138afb8c43981b0e448132b139f52de52ad9

SHA256
ab90f450bda31298fc111d30e8803e68d59b5c0ea4da99c89b478b5a9c02a0bf

SHA512
5c901037de21be5ede80fccdf74258e22c576e518b93ac996d30f62c33a5fd21701f4e95cc21e01d3d7e3efb4c359b89554a553ffad732c354b97a70972171fb

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll

Filesize
83KB

MD5
a16832fe4b5d9febd855df408254f3cd

SHA1
209718001bf2a2220a6f839f9feb98d91325ad77

SHA256
7271e5cb4d1b0c05c4fbb7bf64956742972bd98f2fceccb1ae43c8bf32284cfa

SHA512
7cfcb5906d432621f3a32c9e573f88541d8ef2ae9bcff2724926b620da12f4d3a69e7d67ff9af357a24fd70e61db2319155fb0f38a92ec78ff9cbd659085c927

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll

Filesize
83KB

MD5
a16832fe4b5d9febd855df408254f3cd

SHA1
209718001bf2a2220a6f839f9feb98d91325ad77

SHA256
7271e5cb4d1b0c05c4fbb7bf64956742972bd98f2fceccb1ae43c8bf32284cfa

SHA512
7cfcb5906d432621f3a32c9e573f88541d8ef2ae9bcff2724926b620da12f4d3a69e7d67ff9af357a24fd70e61db2319155fb0f38a92ec78ff9cbd659085c927

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll

Filesize
83KB

MD5
a16832fe4b5d9febd855df408254f3cd

SHA1
209718001bf2a2220a6f839f9feb98d91325ad77

SHA256
7271e5cb4d1b0c05c4fbb7bf64956742972bd98f2fceccb1ae43c8bf32284cfa

SHA512
7cfcb5906d432621f3a32c9e573f88541d8ef2ae9bcff2724926b620da12f4d3a69e7d67ff9af357a24fd70e61db2319155fb0f38a92ec78ff9cbd659085c927

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll

Filesize
83KB

MD5
a16832fe4b5d9febd855df408254f3cd

SHA1
209718001bf2a2220a6f839f9feb98d91325ad77

SHA256
7271e5cb4d1b0c05c4fbb7bf64956742972bd98f2fceccb1ae43c8bf32284cfa

SHA512
7cfcb5906d432621f3a32c9e573f88541d8ef2ae9bcff2724926b620da12f4d3a69e7d67ff9af357a24fd70e61db2319155fb0f38a92ec78ff9cbd659085c927

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxecore\kxecore.dll

Filesize
550KB

MD5
8565494bb60368adba1b1400fecc362a

SHA1
b6727a439521118b68697c29509d99bedd71800c

SHA256
2eca3bf8c73371ce181bdd3bede07ee3c319a240df3ab18cb65fed590f6170fb

SHA512
81d56323f5e0cdeed5dcc8163813736183f6495a1a2e16a56ef9543a29a8e28ba00ca814ce145a398bae9291e29242aa4b9c2081a84192db73cac0320ec6f8e8

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
479263a138a81ac646a04a7ca1060821

SHA1
7bdd2ab8f03fd82d9c8e4e3c9af9ea1a365cd6d3

SHA256
bcd9860da984d0cf04a7ddbe7586c9b0d7207864abe203e80ade6f386d83b36d

SHA512
136121c3f1db93788021e910df1308ced47072a2a076e6d68773a5a1795ca62a075bf3d21dd318ce185dc7ddb6336c5300a71866f5c32f64a69e80931dea63d7

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
479263a138a81ac646a04a7ca1060821

SHA1
7bdd2ab8f03fd82d9c8e4e3c9af9ea1a365cd6d3

SHA256
bcd9860da984d0cf04a7ddbe7586c9b0d7207864abe203e80ade6f386d83b36d

SHA512
136121c3f1db93788021e910df1308ced47072a2a076e6d68773a5a1795ca62a075bf3d21dd318ce185dc7ddb6336c5300a71866f5c32f64a69e80931dea63d7

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
166KB

MD5
170899a660d5d4a350edf80c77334136

SHA1
8119313e8a998ad83ee6a13ef88b6fa1c2a0fcae

SHA256
3672f758b4e875a66b2d95721c89a5ddd7d0eef27b10db254f321041c9f6cf43

SHA512
a87f2fe159f5cae36feda263f10473c7a0df0ddb5c4b82ded1d55b43d4223a4d03ce2a5b7254400d89cff2583f28c793dad2e8cc19cf98a54c42644f08ff7fd3

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
166KB

MD5
170899a660d5d4a350edf80c77334136

SHA1
8119313e8a998ad83ee6a13ef88b6fa1c2a0fcae

SHA256
3672f758b4e875a66b2d95721c89a5ddd7d0eef27b10db254f321041c9f6cf43

SHA512
a87f2fe159f5cae36feda263f10473c7a0df0ddb5c4b82ded1d55b43d4223a4d03ce2a5b7254400d89cff2583f28c793dad2e8cc19cf98a54c42644f08ff7fd3

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\scom.dll

Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCP80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCR80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\jsonv6.dll

Filesize
79KB

MD5
7b1072b86f352df690b9630a34d3da6d

SHA1
4a51d7fa99143e28630c490f79df94cb73f7ecba

SHA256
eeff91e865187d1dfebc3eda9f2fd710309efce434bd6e564a948796e678fb26

SHA512
6231c7eec532d904155f9565aae8221461b1871931ae33bdfdc88831f70136460edc147f2d109be7315f5400a1b3062b147580b0dcde7c9fe7288a786ad2f594

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll

Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe

Filesize
511KB

MD5
dd1443f153f7cf554addb404aff623f8

SHA1
893f24f463d03b3b19e952b85ae06daffcc466d1

SHA256
b943b7e8cdb2decca1eaf2db1683a670fc72024be8eb95f9308adec8abc50887

SHA512
6fc1062f258684a20fce9fff8cf0ee88218aca1bb2e65c4a07f6ac7624fc1536e267538ec35f37d2356eec37258f29c13203d55a6e477d1231a5f5e8e6cd19bd

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdgui2.dll

Filesize
2.3MB

MD5
a92d18cc7a99aec1d883e8b9d0672173

SHA1
8a166811d6f054526fbcd52871e76741544b2df0

SHA256
68f3b9c0125020054e0feec30c533ff9880172bb1e5f70f97060a2c4f932a27f

SHA512
8b3cac48c0f0e82c0865f9af0efc032682f3f4e2cf90f498a1fbbe3f57254a3efd27e46d0e9f8340a4c8a5f717511e69ad0e6f0fb04de52102412fc5cbef77a1

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kfloatwin.dll

Filesize
1.6MB

MD5
fccdf488e36b66678a93cca1648bf0ef

SHA1
a6347d6ab64ca8f4481cf4a4eb3751cbfd7e6811

SHA256
bdf2621ffb574ff98c82e57060d9c9a41b0501499211ac0e85edea569eb3cbcf

SHA512
c1a4f17a8aa0347cb99fdbee8c3903de22fe38dbcbfa113340ab25e7f742ee7792846327a30e499eaeeff5217a8b3097af0a5fe5ce88ec2d518e2f151f81c792

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe

Filesize
1.1MB

MD5
04eeb71a179940aca8073ddaa5bf4350

SHA1
02f7c99c4a2784b2db466b20c6e9c02cccc733b6

SHA256
acd8f6de1355fa40d4703149eeae1887c3f4ee0474f65c7aa257db38924e1385

SHA512
049a164a916863f037f88288faab7ce6f92d555fac4e819d6b79ed787c583f0a0d821ef173440c481f4d2a39ee1547437c6471e2e2b37cf53ad6701ede452f21

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll

Filesize
213KB

MD5
1dd2c3ecae68a35cde2d586aa24e0f25

SHA1
600f6a6af5b43a00c5ddd040a79afbeadba053cf

SHA256
905fbcb0f93015941e884bd37b5d196788bc4422919fead4be12fbfd42fb5440

SHA512
237f5623042dfab544458847cebe1a5f95bf83165d6155086378976b1082d7709b0fe8379ba15fff8ea39664ffe67546719983d27ce3e82cec6ac667e0f78145

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi.dll

Filesize
165KB

MD5
8086981942ab9ac3452c7849a22ee8d3

SHA1
3c5ec53f218104723d5ad4cd43f78820fd91c51c

SHA256
9b1630cecc04db55dde9ae0ab1b7165224e3b4317a7ff4df4eb1cc254ffd0bd2

SHA512
d6884dc41f0a880a2dfc0198c7a4cc200e93345e19b52586520cb50bdf3e2ac8b0ecad7c4297120e2c3f48ab74973a414e332ffaa7112fcd3c057f3758625a97

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll

Filesize
169KB

MD5
c1319f00e5b0ec32b8bcfccd2ed5968c

SHA1
4d6a138afb8c43981b0e448132b139f52de52ad9

SHA256
ab90f450bda31298fc111d30e8803e68d59b5c0ea4da99c89b478b5a9c02a0bf

SHA512
5c901037de21be5ede80fccdf74258e22c576e518b93ac996d30f62c33a5fd21701f4e95cc21e01d3d7e3efb4c359b89554a553ffad732c354b97a70972171fb

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebase.dll

Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll

Filesize
83KB

MD5
a16832fe4b5d9febd855df408254f3cd

SHA1
209718001bf2a2220a6f839f9feb98d91325ad77

SHA256
7271e5cb4d1b0c05c4fbb7bf64956742972bd98f2fceccb1ae43c8bf32284cfa

SHA512
7cfcb5906d432621f3a32c9e573f88541d8ef2ae9bcff2724926b620da12f4d3a69e7d67ff9af357a24fd70e61db2319155fb0f38a92ec78ff9cbd659085c927

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxecore\kxecore.dll

Filesize
550KB

MD5
8565494bb60368adba1b1400fecc362a

SHA1
b6727a439521118b68697c29509d99bedd71800c

SHA256
2eca3bf8c73371ce181bdd3bede07ee3c319a240df3ab18cb65fed590f6170fb

SHA512
81d56323f5e0cdeed5dcc8163813736183f6495a1a2e16a56ef9543a29a8e28ba00ca814ce145a398bae9291e29242aa4b9c2081a84192db73cac0320ec6f8e8

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe

Filesize
277KB

MD5
479263a138a81ac646a04a7ca1060821

SHA1
7bdd2ab8f03fd82d9c8e4e3c9af9ea1a365cd6d3

SHA256
bcd9860da984d0cf04a7ddbe7586c9b0d7207864abe203e80ade6f386d83b36d

SHA512
136121c3f1db93788021e910df1308ced47072a2a076e6d68773a5a1795ca62a075bf3d21dd318ce185dc7ddb6336c5300a71866f5c32f64a69e80931dea63d7

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf

Filesize
87B

MD5
47f61d0f7bd830f5bfe72c3b65941fde

SHA1
d7f440877e23679fd2c480dff2b8f3219702d681

SHA256
eb09cf1094904f0d3038ce1e981fd4366eba4000c8b6f13a3dbbaefea4797e37

SHA512
d234f17af1440aba1a4f6c2b24d04fdeb3a685f25f391cdc1ac048dfed1b470689bed5b21d7b3db94f9186445932982f462bbee8af919c1a957ab89bd69e68f5

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe

Filesize
1.4MB

MD5
cee09dac2393fb81c34ea3c5ced75d31

SHA1
e2d5c7720c65b4dcd7f740104fc9f8890b68a494

SHA256
156920cf11f82d22ef2339b4a9525b2905ee496be6630c2a926eef39c3c77570

SHA512
c4710de9bc6c9f8c37ceebd600a9e9ac7c6c9dfa60d24ef4f36374cff3dc4054e6ca99e5ea9c41eed70d772d1acebf7da9ebd3b8c9ff93bcecacc8099554574f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.log

Filesize
510B

MD5
345671c7f5974628ec85dd1c9c76956f

SHA1
da9b8baef9b1deedfd525fbaf7fd107b6725b232

SHA256
cbd4b0a516a79c9a15940361a60f5aa78ee9503a155427078a2daf880312fe3f

SHA512
60dbdf9daca8839eed2a9d8039433d32afdfca0887b88b181eef270fd3ee7a90ae3a3425952a3fa6d4dc4cc468ceffd7e911a4570692af40a3c58d6b5db83223

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kctrl.dat

Filesize
1KB

MD5
57e60b666f6c98a0b5ca1f1f7c01a2fa

SHA1
f478d9b50584bad36354b466841f485571064c5f

SHA256
2c3efa207ee854ce1c9f46bfa577a70818f820e90d2ab784725017c334448867

SHA512
fdbc5a5b2d4d134bcbe3651e5c1da6cb894f020cbcc15a2c016d96ea45d043ada5ca5628df993a8fd5e40bc1663ffe772b93682fd71c3b17f3d2db8590be3ec1

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx

Filesize
157KB

MD5
5e5d4efe2127670ca170e46ca673711b

SHA1
c95d1a8abe4fdbaf1d74c5044e0482463f47956e

SHA256
c840ad47829717a9f0855b7476b5fcf4c2f717d5e8475adba04a7d2c949db814

SHA512
f9a5d2fd02e0b1bcec3df3d1d811284ca4fdf1b7fc7b741b8fdcc22d339f21d19abde2da5d8ebb40946859ec1654be361d1b315dc7d392abb68b3d233c0cc980

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll

Filesize
166KB

MD5
170899a660d5d4a350edf80c77334136

SHA1
8119313e8a998ad83ee6a13ef88b6fa1c2a0fcae

SHA256
3672f758b4e875a66b2d95721c89a5ddd7d0eef27b10db254f321041c9f6cf43

SHA512
a87f2fe159f5cae36feda263f10473c7a0df0ddb5c4b82ded1d55b43d4223a4d03ce2a5b7254400d89cff2583f28c793dad2e8cc19cf98a54c42644f08ff7fd3

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.dll

Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
memory/1248-193-0x0000000002560000-0x000000000258B000-memory.dmp

Filesize
172KB

Download
memory/1248-226-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/1248-239-0x0000000003760000-0x0000000003778000-memory.dmp

Filesize
96KB

Download
memory/1248-241-0x00000000037C0000-0x00000000037DA000-memory.dmp

Filesize
104KB

Download
memory/1248-187-0x0000000002500000-0x000000000252A000-memory.dmp

Filesize
168KB

Download
memory/1248-236-0x0000000003C00000-0x0000000003C12000-memory.dmp

Filesize
72KB

Download
memory/1248-178-0x00000000013C0000-0x00000000013CE000-memory.dmp

Filesize
56KB

Download
memory/1248-234-0x00000000026F0000-0x0000000002704000-memory.dmp

Filesize
80KB

Download
memory/1248-228-0x00000000038A0000-0x00000000039F4000-memory.dmp

Filesize
1.3MB

Download
memory/1248-208-0x0000000002521000-0x000000000252B000-memory.dmp

Filesize
40KB

Download
memory/1248-248-0x0000000006760000-0x0000000006779000-memory.dmp

Filesize
100KB

Download
memory/1248-246-0x0000000004680000-0x00000000047A2000-memory.dmp

Filesize
1.1MB

Download
memory/1492-252-0x0000000005B60000-0x0000000005B99000-memory.dmp

Filesize
228KB

Download
memory/1492-258-0x0000000006060000-0x00000000061E1000-memory.dmp

Filesize
1.5MB

Download
memory/1492-275-0x000000000D840000-0x000000000D852000-memory.dmp

Filesize
72KB

Download
memory/1492-274-0x000000000D820000-0x000000000D834000-memory.dmp

Filesize
80KB

Download
memory/1492-273-0x00000000062D0000-0x00000000062E0000-memory.dmp

Filesize
64KB

Download
memory/1492-237-0x00000000036F0000-0x000000000371B000-memory.dmp

Filesize
172KB

Download
memory/1492-233-0x00000000036C0000-0x00000000036EA000-memory.dmp

Filesize
168KB

Download
memory/1492-271-0x000000000B910000-0x000000000BB17000-memory.dmp

Filesize
2.0MB

Download
memory/1492-269-0x000000000B410000-0x000000000B54D000-memory.dmp

Filesize
1.2MB

Download
memory/1492-204-0x00000000027B0000-0x0000000002943000-memory.dmp

Filesize
1.6MB

Download
memory/1492-242-0x0000000003CE0000-0x0000000003CE9000-memory.dmp

Filesize
36KB

Download
memory/1492-243-0x0000000003CF0000-0x0000000003CFA000-memory.dmp

Filesize
40KB

Download
memory/1492-245-0x0000000004A10000-0x0000000004A15000-memory.dmp

Filesize
20KB

Download
memory/1492-244-0x0000000004A00000-0x0000000004A03000-memory.dmp

Filesize
12KB

Download
memory/1492-221-0x0000000002750000-0x0000000002768000-memory.dmp

Filesize
96KB

Download
memory/1492-267-0x000000000B070000-0x000000000B1CF000-memory.dmp

Filesize
1.4MB

Download
memory/1492-250-0x00000000059C0000-0x0000000005A1F000-memory.dmp

Filesize
380KB

Download
memory/1492-217-0x0000000002950000-0x0000000002BB8000-memory.dmp

Filesize
2.4MB

Download
memory/1492-265-0x0000000009A20000-0x0000000009AD9000-memory.dmp

Filesize
740KB

Download
memory/1492-256-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1492-229-0x0000000003760000-0x0000000003882000-memory.dmp

Filesize
1.1MB

Download
memory/1492-260-0x0000000006770000-0x000000000699E000-memory.dmp

Filesize
2.2MB

Download
memory/1492-262-0x0000000006F60000-0x0000000007196000-memory.dmp

Filesize
2.2MB

Download
memory/1492-264-0x0000000005B50000-0x0000000005B5E000-memory.dmp

Filesize
56KB

Download
memory/2304-355-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2304-314-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2672-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2672-312-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3696-307-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-255-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-136-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4628-232-0x0000000002A90000-0x0000000002B5D000-memory.dmp

Filesize
820KB

Download
memory/4628-171-0x0000000002800000-0x000000000281A000-memory.dmp

Filesize
104KB

Download