4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272

Analysis

max time kernel
157s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Size

30.1MB
MD5

3717a1cc9c3aced10b9f6dce24e00ea5
SHA1

0b07785d4e72993e1459edd498091ac1f0250e01
SHA256

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272
SHA512

63c765884230989c4917230ae14c61992ee6d8deb9f28adf057c2afa24e7ba2b9c1c47cb6b522b05c5674e2e151b4df78a00ba59e6e4de287f668c33598b12be
SSDEEP

786432:DH22j0SJs237EEmAHS5lmqLKJp/R6nPzyWp/8dDfLy4Wt:7Twf237Eiy+qgfQuGUdDfLzO

Score

8^/10

bootkit discovery persistence spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 20 IoCs

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exekxescore.exe

description	ioc	process
File created	C:\Windows\system32\drivers\kavbootc.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kdhacker.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kdhacker64.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\bc.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	C:\Windows\system32\drivers\bc.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kusbquery.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kavbootc64.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kisknl.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\ksapi.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	C:\Windows\system32\drivers\kusbquery64.sys	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	C:\Windows\SysWOW64\drivers\kisknl.sys	kxescore.exe
File opened for modification	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe
File created	C:\Windows\system32\drivers\kisknl.sys	kxescore.exe

Executes dropped EXE 9 IoCs

Processes:

kavlog2.exekxetray.exekxescore.exekislive.exekxescore.exekxetray.exekwsprotect64.exe

pid process

1324 kavlog2.exe
1776 kxetray.exe
1752 kxescore.exe
2036 kislive.exe
1620 kxescore.exe
1772 kxetray.exe
1336 kwsprotect64.exe
1124
1180

pid	process
1324	kavlog2.exe
1776	kxetray.exe
1752	kxescore.exe
2036	kislive.exe
1620	kxescore.exe
1772	kxetray.exe
1336	kwsprotect64.exe
1124
1180

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

Sets file execution options in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINST.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISCALL.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSETUPWIZ.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KDRVMGR.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRECYCLE.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSIGNSP.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISMAIN.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KXETRAY.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KXESCORE.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCOMREGSVRV8.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSCAN.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLIVE.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISADDIN.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVLOG2.EXE	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kxescore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KDHacker\ImagePath = "\\??\\c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\security\\kxescan\\kdhacker64.sys"	kxescore.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1708-55-0x0000000000400000-0x0000000000575000-memory.dmp	upx
behavioral1/memory/1708-153-0x0000000000400000-0x0000000000575000-memory.dmp	upx
behavioral1/memory/1620-154-0x00000000010E0000-0x00000000010F1000-memory.dmp	upx
behavioral1/memory/1708-197-0x0000000000400000-0x0000000000575000-memory.dmp	upx

Loads dropped DLL 64 IoCs

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exekxetray.exekislive.exekavlog2.exekxescore.exekxescore.exe

pid	process
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1776	kxetray.exe
2036	kislive.exe
1776	kxetray.exe
2036	kislive.exe
1324	kavlog2.exe
1752	kxescore.exe
1752	kxescore.exe
1324	kavlog2.exe
2036	kislive.exe
2036	kislive.exe
1620	kxescore.exe
1620	kxescore.exe
1776	kxetray.exe
1620	kxescore.exe
2036	kislive.exe
1620	kxescore.exe
1776	kxetray.exe
1620	kxescore.exe
1776	kxetray.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1620	kxescore.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

kxetray.exe

description	ioc	process
File opened (read-only)	\??\T:	kxetray.exe
File opened (read-only)	\??\W:	kxetray.exe
File opened (read-only)	\??\F:	kxetray.exe
File opened (read-only)	\??\I:	kxetray.exe
File opened (read-only)	\??\O:	kxetray.exe
File opened (read-only)	\??\D:	kxetray.exe
File opened (read-only)	\??\P:	kxetray.exe
File opened (read-only)	\??\Q:	kxetray.exe
File opened (read-only)	\??\K:	kxetray.exe
File opened (read-only)	\??\N:	kxetray.exe
File opened (read-only)	\??\H:	kxetray.exe
File opened (read-only)	\??\J:	kxetray.exe
File opened (read-only)	\??\L:	kxetray.exe
File opened (read-only)	\??\M:	kxetray.exe
File opened (read-only)	\??\R:	kxetray.exe
File opened (read-only)	\??\S:	kxetray.exe
File opened (read-only)	\??\E:	kxetray.exe
File opened (read-only)	\??\G:	kxetray.exe
File opened (read-only)	\??\X:	kxetray.exe
File opened (read-only)	\??\Y:	kxetray.exe
File opened (read-only)	\??\Z:	kxetray.exe
File opened (read-only)	\??\U:	kxetray.exe
File opened (read-only)	\??\V:	kxetray.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

description ioc process

File opened for modification \??\PhysicalDrive0 4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Drops file in System32 directory 1 IoCs

Processes:

kavlog2.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\KAVEventLog.EVT kavlog2.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\KAVEventLog.EVT	kavlog2.exe

Drops file in Program Files directory 64 IoCs

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exekxetray.exekislive.exekxescore.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\cloudpop\1.0.0\pop_cd_cleanrubbish2\setting_menu.xml	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\17tudou.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\letao.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\hsbc.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\hkbea.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\pufa.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\51youpin.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\lamiu.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\bankofshanghai.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\wd.dat	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\4.png	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\whiteurl.dat	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksysopteng.dll	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\dangdang.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\uzai.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\cloudpop\1.0.0\pop_cd_cleanrubbish2\action.xml	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kavcfg.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\vinfo.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\config\ksesysfiles.dat	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\kcom_common\index.dat	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\config3a.dat	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\uplive.svr	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\urlmon.cfg	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\netbank.dat	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kfc_hfps.dat	kxetray.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\log\kusbcore.log	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\njcb.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kfccfg.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\wgsites.dat	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksbwdet2.dll.log	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\quwan.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kws\icon\commentbgsafetrb.gif	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\procinfo.dat	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\32qidian.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\tuan800.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\maimaicha.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\install.xml	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\cloudpop\1.0.0\popcfg.xml	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\12shengda.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\idaphne.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksrengcfg.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\1.jpg	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\03yidong.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\02haofang.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\miqi.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\13dipanw.png	kxetray.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\baifubao.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\standardchartered.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\update\kav\indexkcom_common.dat	kislive.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kws\icon\kws_unknown_no.gif	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kavquara.dll	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kusernetwhitelist.dat-journal	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\duba123ie.ico	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File opened for modification	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kws_init.log	kxescore.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\ihush.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\shengfutong.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\24juan.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetraynormal.dat	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\netbuyImgs\kuaiqian.png	kxetray.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavstart.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksscfgx.ini	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcctrl.dll	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 50 IoCs

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exekxetray.exekxescore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{372B851C-71B6-4fd3-9A23-30A4D1FFF178}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	kxescore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "cd1ed43f629095660a26c9306b25b2c5"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "j85y8cay2anmsaaftzwcqmjbxg98"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxescore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	kxescore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "137523218"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	kxescore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "017e18a2dd770fd54bc8e7bd991c827c"	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "j85y8cay2anmsaaftzwcqmjbxg98"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "137523218"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	kxescore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

kxetray.exekxetray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	kxetray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	kxetray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	kxetray.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

kxetray.exe4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exekxetray.exe

pid	process
1772	kxetray.exe
1772	kxetray.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe
1776	kxetray.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

460
460
460
460
460

pid	process
460
460
460
460
460

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exekislive.exekxescore.exekxetray.exe

description	pid	process
Token: SeDebugPrivilege	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Token: SeDebugPrivilege	2036	kislive.exe
Token: SeDebugPrivilege	1620	kxescore.exe
Token: SeDebugPrivilege	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
Token: 33	1620	kxescore.exe
Token: SeIncBasePriorityPrivilege	1620	kxescore.exe
Token: SeDebugPrivilege	1776	kxetray.exe
Token: SeDebugPrivilege	1776	kxetray.exe
Token: SeDebugPrivilege	1776	kxetray.exe
Token: SeDebugPrivilege	1776	kxetray.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

kxetray.exe

pid process

1776 kxetray.exe
1776 kxetray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

kxetray.exe

pid process

1776 kxetray.exe
1776 kxetray.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

kwsprotect64.exekxetray.exe

pid process

1336 kwsprotect64.exe
1336 kwsprotect64.exe
1776 kxetray.exe
1776 kxetray.exe

pid	process
1776	kxetray.exe
1776	kxetray.exe

pid	process
1776	kxetray.exe
1776	kxetray.exe

pid	process
1336	kwsprotect64.exe
1336	kwsprotect64.exe
1776	kxetray.exe
1776	kxetray.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exekxetray.exe

description	pid	process	target process
PID 1708 wrote to memory of 1324	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kavlog2.exe
PID 1708 wrote to memory of 1324	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kavlog2.exe
PID 1708 wrote to memory of 1324	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kavlog2.exe
PID 1708 wrote to memory of 1324	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kavlog2.exe
PID 1708 wrote to memory of 1776	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1708 wrote to memory of 1776	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1708 wrote to memory of 1776	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1708 wrote to memory of 1776	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1708 wrote to memory of 1752	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxescore.exe
PID 1708 wrote to memory of 1752	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxescore.exe
PID 1708 wrote to memory of 1752	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxescore.exe
PID 1708 wrote to memory of 1752	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxescore.exe
PID 1708 wrote to memory of 2036	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kislive.exe
PID 1708 wrote to memory of 2036	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kislive.exe
PID 1708 wrote to memory of 2036	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kislive.exe
PID 1708 wrote to memory of 2036	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kislive.exe
PID 1708 wrote to memory of 1772	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1708 wrote to memory of 1772	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1708 wrote to memory of 1772	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1708 wrote to memory of 1772	1708	4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe	kxetray.exe
PID 1776 wrote to memory of 1336	1776	kxetray.exe	kwsprotect64.exe
PID 1776 wrote to memory of 1336	1776	kxetray.exe	kwsprotect64.exe
PID 1776 wrote to memory of 1336	1776	kxetray.exe	kwsprotect64.exe
PID 1776 wrote to memory of 1336	1776	kxetray.exe	kwsprotect64.exe

C:\Users\Admin\AppData\Local\Temp\4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe
"C:\Users\Admin\AppData\Local\Temp\4891e15b645c0bda957629e5bd98782dbabf0911912bd94d238d02383c76a272.exe"
1⤵
- Drops file in Drivers directory
- Registers COM server for autorun
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1324

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe
"kwsprotect64.exe" (null)
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe" /autorun /std /skipcs3
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2036

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /lockpage:http://www.163205.com/
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1772

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
490KB

MD5
290838609c8642c2abf090d3da761c55

SHA1
098f842d4b153d0b88a52697a3e59015a27abc44

SHA256
e7c1f57b2b2fe87141179f1ebd37029b55eeaf29935e83c029905adfbe86720b

SHA512
8b364176192fd1c2b127044edea2fa1c9be1ba0973956ca534919ee88e2b56c92ad5ed8015569b22456a3b84be853d99bdc92cfd425b65b19009d709833ea5c7

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe
Filesize
810KB

MD5
4734dad5ce705d7923b3f0c9f25063cd

SHA1
14f4526686f3eaa70754bd063478e7af23837995

SHA256
31e09d3c1167df0aeb39db6be9e73dc4436902db0cd9add12278b562eea90f2e

SHA512
59853710e47d0e99796c7cf0329758374f330aa5851e6110147d339fff4bc11b4986e712d5657824aee529dad49afd7602131ae6ad0d9c674c68cd157bbe9ac4

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
Filesize
257KB

MD5
3e58822b8ccc8de14a55ad7c47282f64

SHA1
a5a8fc030d8e77226bd38253739e673a39c1361c

SHA256
11be2f6ed17ab6a81add3928a1a86a1dca574b6b719b2b8c5b178f6e78735050

SHA512
072f1ef77238658bfad844d0b848751646749bc7354ba795d1c5ed6b0bc82c2949b6c161e830903f719a52ca9065c4f9f017cb8eb2866307dd3b85d516e6576d

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
Filesize
257KB

MD5
3e58822b8ccc8de14a55ad7c47282f64

SHA1
a5a8fc030d8e77226bd38253739e673a39c1361c

SHA256
11be2f6ed17ab6a81add3928a1a86a1dca574b6b719b2b8c5b178f6e78735050

SHA512
072f1ef77238658bfad844d0b848751646749bc7354ba795d1c5ed6b0bc82c2949b6c161e830903f719a52ca9065c4f9f017cb8eb2866307dd3b85d516e6576d

Download Submit
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
Filesize
1.5MB

MD5
c01e1651e1fc4e519267294ceef9e3b9

SHA1
64ea52712fa6ba6e5722f6e2736ee75677ad83b2

SHA256
d4163162cea8cbb759c0a5eed9491c6a71f3aa2bd988faca66288b919e0788ff

SHA512
a0ed4aaf25ee6a286f0a3a201253472f4699f80521f4c888dcfcc451b593d2e990d53b9beefa10170cd1aacfff3f883f195de55c3cedcf974c1a678cec26331e

Download Submit
C:\Windows\system32\drivers\ksapi64.sys
Filesize
54KB

MD5
ac1ccbdc13c5b3e9790d614fabe244ce

SHA1
983f6895bd3ffb490a8aa75d5e3591700e9a1bd7

SHA256
d3c0c69a4a25d5e98e52a46158d6c51da06eda839815fda0546599b97755231d

SHA512
41afc601e622b530c12cf370351f43436b4fa8d06f8c318b3d19da18ac3b31ef8947f0f021ee36aebf70a121461a6efbe333314a577bdefd894c390d68a82d72

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCP80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\MSVCR80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\duba_binglanbeiji.dubaskin
Filesize
51KB

MD5
88ad8a79f4c9febe8d173f9d1b846afe

SHA1
5492f457140916cb1563cfe1c2a88f8f49dabb81

SHA256
937468e8899dcf7cfec09220f1013445f206d0c27ab72114f1d63aa0542e6cca

SHA512
4c183c227aa760795ef3eeaf4e35ba011112d0d5466a06856ec79f5efb0784374ba0babb538962d9ddf2709e97fc1f534bb0b09b80e38b93f248948a23250e55

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\binglanbeiji.dubatheme
Filesize
331KB

MD5
cb3b6223ed9e2a45e7840228597d16e0

SHA1
31c5f386e4af3b42d816f148b26d0f7953447e0f

SHA256
0116e735f04267882e6a536dd4b8d8ae7c8fa58a0e9255ee0d96cbc5c7d765b8

SHA512
b1ca6a0252f3b8e1dbec4faa3d97a682f1f5235cdc80cd33f09528efce38e8697e81eb8a2c63f85526d662c73745246c9f15b063dc81c1b45751ff287c459b0b

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll
Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcctrl.dll
Filesize
582KB

MD5
39c60e9eac76f8e3d4ac9a119dddd5e2

SHA1
5cd1e432ccb86ae8749af99fe9b99596287f45e8

SHA256
dba1164dea9b98ce4bfce68cf0d500b145b33ab6b8b24062d568e2a833d30178

SHA512
8219b5340fe960ec6ece45bfd4e59cb69e75f993cf89fb90ae59833488cfca7551ca093a3deab3717d2037727f6bf4d32585091ce55aeca4e66ea1d642f20a47

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll
Filesize
213KB

MD5
356ec12560529ad10f0c311a33cb16ad

SHA1
c1b083abc0e3a9e9a9c97e5b2850bd213eadd28e

SHA256
0bbe8014f2a84729935bb3bfb7c9df64428900e4e595808ed2478b07fd1188c4

SHA512
fcd051c999b655188dd971f730b5042e7c661cbf3b6d44e7005de1e7d71e3b6636e170c2388f2bc09f5276527efe8cb2eec682baba9597186e4dfed054771d01

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi.dll
Filesize
166KB

MD5
64960a40af70fd71e5d5599846effbe8

SHA1
4747f4b7ea424e0411028deaaba58624978edc58

SHA256
697c40951595c715502dfeb72ca6200bc6360c5b4db9a28c0d39a76f0f4616e6

SHA512
307c6b9c1bb3b9e83751d8e88fbb6778f37934c685495f605d6d40b6c058141c16213ac2126fd96ac8686b24b8d3b99ce89969aad1fba28efcb2673f5ee2c9a1

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll
Filesize
166KB

MD5
5e721ab03eaa61bde4f03f1d01c1741e

SHA1
adaf568daa25d3ee876bf1b594ab4bd90dba2b3b

SHA256
07c86e2bb2df7b9aec20a71ba26acf2dedea283589a4844d221c6868f3689d49

SHA512
0781ceea0f99ab37936bf6c325591939815163e3276e2702db19b230ceb38e7ad4b177e3db4da99eadf8777ed8399ef4ae074fd196ff1607030c1bf8671bc8f5

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi64.sys
Filesize
54KB

MD5
ac1ccbdc13c5b3e9790d614fabe244ce

SHA1
983f6895bd3ffb490a8aa75d5e3591700e9a1bd7

SHA256
d3c0c69a4a25d5e98e52a46158d6c51da06eda839815fda0546599b97755231d

SHA512
41afc601e622b530c12cf370351f43436b4fa8d06f8c318b3d19da18ac3b31ef8947f0f021ee36aebf70a121461a6efbe333314a577bdefd894c390d68a82d72

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll
Filesize
1.3MB

MD5
3771461faa9dea561ddb5bf94031c8d1

SHA1
453c1186ffa515d501f025e9415b14043801ae43

SHA256
dbb07298288136b76d53661de88f0940aa32036ef1056c9a72424eb19a7e8f7d

SHA512
07f95f65ae7ff6c0f006b3ba7db5a5349b2eee52bcb2834270369cd5158a03c76a68049f35576c28fc2e5bc8028d6a9d58364ea960facc8fd07806a90abee285

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebase.dll
Filesize
63KB

MD5
943e99cf9c0e96a31abb7325558371d8

SHA1
3188bb90f16c14b03e0d09e244ecaa9d2285be78

SHA256
df1dde424ec68bb481f3cdbed66a52c92325134b084c6bd1ad013c3ba0ac3780

SHA512
de3047ee0c70adb15a1ffe25e3f21b832ad9b1152d6e3ec3f54ae33e5f8f70d614b9cfff28d9645ddb850a6fb0d71b0a43d96be07857841fd6f37813793f6757

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf
Filesize
87B

MD5
47f61d0f7bd830f5bfe72c3b65941fde

SHA1
d7f440877e23679fd2c480dff2b8f3219702d681

SHA256
eb09cf1094904f0d3038ce1e981fd4366eba4000c8b6f13a3dbbaefea4797e37

SHA512
d234f17af1440aba1a4f6c2b24d04fdeb3a685f25f391cdc1ac048dfed1b470689bed5b21d7b3db94f9186445932982f462bbee8af919c1a957ab89bd69e68f5

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kctrl.dat
Filesize
1KB

MD5
755825eef7e8e3d1a075eea3d95d2d55

SHA1
a28f76ce60f623fef55bbd2d54e2c5bce98fcbce

SHA256
6e5384ff0f81d03c8889a8837bf05b27487d72cd86892cb0e255e998b7efc577

SHA512
fae0c3be2a021ded93af2be19ad552d004705a497c9a46f1316f19dfa3ea7c858f7ad069d1fbdb053e29ce88e5052f7e0da25498b921190e6b8581b41c647019

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx
Filesize
72KB

MD5
33ac93f27054f563382fd450515d8ea7

SHA1
04b54a033512c53a53d11b712b7fa0713e500620

SHA256
6bb206fb38a48de34ea456c02b1b3f2c0c8bf5570108fc5bf12e28b67e467901

SHA512
206c813d121d77ee2db68bfe93cf9d4c73831aaa38e5cd8f5e4c44274e8b05b1d5684d7a9c14cf0d13acb2367284ea76026753a9c4bc5b617d0d57238c623279

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll
Filesize
298KB

MD5
98c8a2e09b8195a36dab3aebac7e83c7

SHA1
39de547b154a7752e94a92f54a1c142e9f5ff148

SHA256
6550ef6d43191672f49169b252aa6a8cac654b26af0c06b95ef322a2b97a4ea4

SHA512
404b4ff307015fbba3e6351f642f05a84ebb5f0c0425417ec378d8001f19a77de7a85fae989ff14df7894c12932f0b2d57b9640deb13775a4da9964505f7e547

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kismain.ini
Filesize
68B

MD5
474278c3409411ca1c251ae4f6dbc395

SHA1
2aa37f80a89a5545d832b71237278ab6caacfc53

SHA256
d5945e7a02ae088974058dcf72c2f21e75185762db1e5f0623b6cd839c6c7b29

SHA512
f7871a987a015a4f1cfd2709fb9274be09f6832ee338b10b8265402fcc19ad831cd303730b8a77a22d3c6e2ee10acf2908a5d1b96707d1953a15d8cb8cb43297

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\uplive.svr
Filesize
6KB

MD5
550af17642113597bf56d46a21d692b3

SHA1
21bc4f2b71f56577f3396c24e9d4376226687328

SHA256
f30b6642cf3641898610dffc1f9260a79b9dbec71d673c4011acb7e5995bc10b

SHA512
6341cd1a7466abf6c10bc9c88688d979ba70c35a4b8e4b78fb1544b30467c378e058729dd6dbf491114c56756ea91fdcdd6fbaa9faae49ea5a7c804940201050

Download Submit
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.dll
Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavevent.dll
Filesize
90KB

MD5
80f899ca024ddcf5218a4fadeacaec54

SHA1
2756821bde2d8eb44b04da63afbf5496565ddf71

SHA256
2a0d8c0778ef91c5e9f7ffac47a0e49a4055d50556895822d84adcbce9375c17

SHA512
ae871718f3eb2bcdd4bc6d41a691e9684a98a022d0db9d9444470820847e648e369a5f0c7887dc31d6ffa51572634345fe2448c1defe8535eb79c30f8202f41f

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
490KB

MD5
290838609c8642c2abf090d3da761c55

SHA1
098f842d4b153d0b88a52697a3e59015a27abc44

SHA256
e7c1f57b2b2fe87141179f1ebd37029b55eeaf29935e83c029905adfbe86720b

SHA512
8b364176192fd1c2b127044edea2fa1c9be1ba0973956ca534919ee88e2b56c92ad5ed8015569b22456a3b84be853d99bdc92cfd425b65b19009d709833ea5c7

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
Filesize
490KB

MD5
290838609c8642c2abf090d3da761c55

SHA1
098f842d4b153d0b88a52697a3e59015a27abc44

SHA256
e7c1f57b2b2fe87141179f1ebd37029b55eeaf29935e83c029905adfbe86720b

SHA512
8b364176192fd1c2b127044edea2fa1c9be1ba0973956ca534919ee88e2b56c92ad5ed8015569b22456a3b84be853d99bdc92cfd425b65b19009d709833ea5c7

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
Filesize
42KB

MD5
8d9f203a21f2763e51ed097286bf34fa

SHA1
3f19728df55fd05a72b12941b6f530cfaafc1a30

SHA256
05e2a3fa3506b8e6d66adbb9841672de18e7ea93fda41c6b7bc2cff78b5ebb36

SHA512
4fecd387165d3b83eed70778943c7e9eca27a9fe04b969b2d8e8946b1e20148d523d1f1ad33ce9d0eead21f3b395906d493ad7a76c87e87e41c070a63916f963

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kcctrl.dll
Filesize
582KB

MD5
39c60e9eac76f8e3d4ac9a119dddd5e2

SHA1
5cd1e432ccb86ae8749af99fe9b99596287f45e8

SHA256
dba1164dea9b98ce4bfce68cf0d500b145b33ab6b8b24062d568e2a833d30178

SHA512
8219b5340fe960ec6ece45bfd4e59cb69e75f993cf89fb90ae59833488cfca7551ca093a3deab3717d2037727f6bf4d32585091ce55aeca4e66ea1d642f20a47

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe
Filesize
810KB

MD5
4734dad5ce705d7923b3f0c9f25063cd

SHA1
14f4526686f3eaa70754bd063478e7af23837995

SHA256
31e09d3c1167df0aeb39db6be9e73dc4436902db0cd9add12278b562eea90f2e

SHA512
59853710e47d0e99796c7cf0329758374f330aa5851e6110147d339fff4bc11b4986e712d5657824aee529dad49afd7602131ae6ad0d9c674c68cd157bbe9ac4

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
Filesize
48KB

MD5
e548600f13852b8e4129aa4374b0e63a

SHA1
b1fef095037036563b7efe84c8eefd4bccc6d28a

SHA256
1535653c46a634da3fa6b81ad22a1f879e0182db77008780de066e19e5cefdb8

SHA512
1434905f06f53a87e9ef4b8b9fc6f4d06316cb3d5ae8473fe6a33949418678065c276b19988de30a230c397dd86a7bc61c267ad777ae1cc666a003d061b0d85c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
Filesize
48KB

MD5
e548600f13852b8e4129aa4374b0e63a

SHA1
b1fef095037036563b7efe84c8eefd4bccc6d28a

SHA256
1535653c46a634da3fa6b81ad22a1f879e0182db77008780de066e19e5cefdb8

SHA512
1434905f06f53a87e9ef4b8b9fc6f4d06316cb3d5ae8473fe6a33949418678065c276b19988de30a230c397dd86a7bc61c267ad777ae1cc666a003d061b0d85c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll
Filesize
213KB

MD5
356ec12560529ad10f0c311a33cb16ad

SHA1
c1b083abc0e3a9e9a9c97e5b2850bd213eadd28e

SHA256
0bbe8014f2a84729935bb3bfb7c9df64428900e4e595808ed2478b07fd1188c4

SHA512
fcd051c999b655188dd971f730b5042e7c661cbf3b6d44e7005de1e7d71e3b6636e170c2388f2bc09f5276527efe8cb2eec682baba9597186e4dfed054771d01

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\krecycle.exe
Filesize
488KB

MD5
c998909a8982c328a18f84e140665373

SHA1
87313728230bd13335dfccf005d48786ac81f2b3

SHA256
8278d11df7336ec5e8e73e4ea2b738ac39f0aefe1c2bad280eb7bd7d359beb0d

SHA512
8d73a38a93816f2520306af07e60f16bcf6de22d8c11e21c6267ec689c99a731023206a0ebf900650174a569d51711ec503b1eed29acd4856c9197ee4cdc740c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll
Filesize
166KB

MD5
64960a40af70fd71e5d5599846effbe8

SHA1
4747f4b7ea424e0411028deaaba58624978edc58

SHA256
697c40951595c715502dfeb72ca6200bc6360c5b4db9a28c0d39a76f0f4616e6

SHA512
307c6b9c1bb3b9e83751d8e88fbb6778f37934c685495f605d6d40b6c058141c16213ac2126fd96ac8686b24b8d3b99ce89969aad1fba28efcb2673f5ee2c9a1

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll
Filesize
166KB

MD5
64960a40af70fd71e5d5599846effbe8

SHA1
4747f4b7ea424e0411028deaaba58624978edc58

SHA256
697c40951595c715502dfeb72ca6200bc6360c5b4db9a28c0d39a76f0f4616e6

SHA512
307c6b9c1bb3b9e83751d8e88fbb6778f37934c685495f605d6d40b6c058141c16213ac2126fd96ac8686b24b8d3b99ce89969aad1fba28efcb2673f5ee2c9a1

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll
Filesize
166KB

MD5
5e721ab03eaa61bde4f03f1d01c1741e

SHA1
adaf568daa25d3ee876bf1b594ab4bd90dba2b3b

SHA256
07c86e2bb2df7b9aec20a71ba26acf2dedea283589a4844d221c6868f3689d49

SHA512
0781ceea0f99ab37936bf6c325591939815163e3276e2702db19b230ceb38e7ad4b177e3db4da99eadf8777ed8399ef4ae074fd196ff1607030c1bf8671bc8f5

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.dll
Filesize
166KB

MD5
5e721ab03eaa61bde4f03f1d01c1741e

SHA1
adaf568daa25d3ee876bf1b594ab4bd90dba2b3b

SHA256
07c86e2bb2df7b9aec20a71ba26acf2dedea283589a4844d221c6868f3689d49

SHA512
0781ceea0f99ab37936bf6c325591939815163e3276e2702db19b230ceb38e7ad4b177e3db4da99eadf8777ed8399ef4ae074fd196ff1607030c1bf8671bc8f5

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.sys
Filesize
54KB

MD5
ac1ccbdc13c5b3e9790d614fabe244ce

SHA1
983f6895bd3ffb490a8aa75d5e3591700e9a1bd7

SHA256
d3c0c69a4a25d5e98e52a46158d6c51da06eda839815fda0546599b97755231d

SHA512
41afc601e622b530c12cf370351f43436b4fa8d06f8c318b3d19da18ac3b31ef8947f0f021ee36aebf70a121461a6efbe333314a577bdefd894c390d68a82d72

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi64.sys
Filesize
54KB

MD5
ac1ccbdc13c5b3e9790d614fabe244ce

SHA1
983f6895bd3ffb490a8aa75d5e3591700e9a1bd7

SHA256
d3c0c69a4a25d5e98e52a46158d6c51da06eda839815fda0546599b97755231d

SHA512
41afc601e622b530c12cf370351f43436b4fa8d06f8c318b3d19da18ac3b31ef8947f0f021ee36aebf70a121461a6efbe333314a577bdefd894c390d68a82d72

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll
Filesize
1.3MB

MD5
3771461faa9dea561ddb5bf94031c8d1

SHA1
453c1186ffa515d501f025e9415b14043801ae43

SHA256
dbb07298288136b76d53661de88f0940aa32036ef1056c9a72424eb19a7e8f7d

SHA512
07f95f65ae7ff6c0f006b3ba7db5a5349b2eee52bcb2834270369cd5158a03c76a68049f35576c28fc2e5bc8028d6a9d58364ea960facc8fd07806a90abee285

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
Filesize
257KB

MD5
3e58822b8ccc8de14a55ad7c47282f64

SHA1
a5a8fc030d8e77226bd38253739e673a39c1361c

SHA256
11be2f6ed17ab6a81add3928a1a86a1dca574b6b719b2b8c5b178f6e78735050

SHA512
072f1ef77238658bfad844d0b848751646749bc7354ba795d1c5ed6b0bc82c2949b6c161e830903f719a52ca9065c4f9f017cb8eb2866307dd3b85d516e6576d

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
Filesize
257KB

MD5
3e58822b8ccc8de14a55ad7c47282f64

SHA1
a5a8fc030d8e77226bd38253739e673a39c1361c

SHA256
11be2f6ed17ab6a81add3928a1a86a1dca574b6b719b2b8c5b178f6e78735050

SHA512
072f1ef77238658bfad844d0b848751646749bc7354ba795d1c5ed6b0bc82c2949b6c161e830903f719a52ca9065c4f9f017cb8eb2866307dd3b85d516e6576d

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
Filesize
1.5MB

MD5
c01e1651e1fc4e519267294ceef9e3b9

SHA1
64ea52712fa6ba6e5722f6e2736ee75677ad83b2

SHA256
d4163162cea8cbb759c0a5eed9491c6a71f3aa2bd988faca66288b919e0788ff

SHA512
a0ed4aaf25ee6a286f0a3a201253472f4699f80521f4c888dcfcc451b593d2e990d53b9beefa10170cd1aacfff3f883f195de55c3cedcf974c1a678cec26331e

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
Filesize
1.5MB

MD5
c01e1651e1fc4e519267294ceef9e3b9

SHA1
64ea52712fa6ba6e5722f6e2736ee75677ad83b2

SHA256
d4163162cea8cbb759c0a5eed9491c6a71f3aa2bd988faca66288b919e0788ff

SHA512
a0ed4aaf25ee6a286f0a3a201253472f4699f80521f4c888dcfcc451b593d2e990d53b9beefa10170cd1aacfff3f883f195de55c3cedcf974c1a678cec26331e

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\operation\cas\kinfoc.dll
Filesize
298KB

MD5
98c8a2e09b8195a36dab3aebac7e83c7

SHA1
39de547b154a7752e94a92f54a1c142e9f5ff148

SHA256
6550ef6d43191672f49169b252aa6a8cac654b26af0c06b95ef322a2b97a4ea4

SHA512
404b4ff307015fbba3e6351f642f05a84ebb5f0c0425417ec378d8001f19a77de7a85fae989ff14df7894c12932f0b2d57b9640deb13775a4da9964505f7e547

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\scom.dll
Filesize
71KB

MD5
0d9fd22c4b94746a19478e49c6abe1f5

SHA1
8ef001a0c1fd44d2c61ff4b55a8043f4e129aff7

SHA256
d7c44eeee6a1cfba85c4569b534911ef8ca836b7d821db77f642ea4bdbaad645

SHA512
2ec28ab6982fbfcd4050231aba3efd602ef792a5ec365951f71b9a44487f299fd9558a646d8db0604900e070d5b3ff9da1f620f697c08f498e0ebe893d9dec6a

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sys
Filesize
27KB

MD5
725d897352ec1bb8ea219282b343e5af

SHA1
5f4e986d09cc211f916be0b89d0199077010c178

SHA256
fbb90272c9a4cf87eb0495edcf38c922e9a71c12ea2b197d8011c309ff12477e

SHA512
2b2962a869605dfeb2f20252f4dceb31a5e09c377440174079d7f50639eb4bed5a68f26420c73d28494d41ceb06581a9952543aeff13b2822040e55c6ad2cb7f

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sys
Filesize
27KB

MD5
725d897352ec1bb8ea219282b343e5af

SHA1
5f4e986d09cc211f916be0b89d0199077010c178

SHA256
fbb90272c9a4cf87eb0495edcf38c922e9a71c12ea2b197d8011c309ff12477e

SHA512
2b2962a869605dfeb2f20252f4dceb31a5e09c377440174079d7f50639eb4bed5a68f26420c73d28494d41ceb06581a9952543aeff13b2822040e55c6ad2cb7f

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
Filesize
207KB

MD5
5386705763928234bbf1e9ec8fb2f185

SHA1
9654babee332cd26c5d4d63134f638217a2378af

SHA256
fb065a5a3a9d003d6493a5a7fc596088fbb5fdff7da479d4d62b7aeb77b62c6a

SHA512
38bf550aebffd3c909f85ca7b0d08239e4f418e1811f71a564ade22712b36c44162164e16b28c0178f40b5fbc79fc34cafcd292a7d355de0533fd6b80e231753

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
Filesize
207KB

MD5
5386705763928234bbf1e9ec8fb2f185

SHA1
9654babee332cd26c5d4d63134f638217a2378af

SHA256
fb065a5a3a9d003d6493a5a7fc596088fbb5fdff7da479d4d62b7aeb77b62c6a

SHA512
38bf550aebffd3c909f85ca7b0d08239e4f418e1811f71a564ade22712b36c44162164e16b28c0178f40b5fbc79fc34cafcd292a7d355de0533fd6b80e231753

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\uni0nst.exe
Filesize
928KB

MD5
4f25cf6214541a226aeb769754dcb54b

SHA1
a3ad738d23e04408cbc0187074319d86b7cd13e5

SHA256
b280c3af39070195b1808ed89c36ddcd837f0f261434ceac1285ad21abca0966

SHA512
61ca019a6bf146adf9ac48b9c959b247e00788dfa017e083ec01a3008f19d9173beb6327e0ef96fdcf89c41e68cb4df6f4d7995ed7c1909b80dcda6600f86861

Download Submit
\Windows\System32\drivers\ksapi64.sys
Filesize
54KB

MD5
ac1ccbdc13c5b3e9790d614fabe244ce

SHA1
983f6895bd3ffb490a8aa75d5e3591700e9a1bd7

SHA256
d3c0c69a4a25d5e98e52a46158d6c51da06eda839815fda0546599b97755231d

SHA512
41afc601e622b530c12cf370351f43436b4fa8d06f8c318b3d19da18ac3b31ef8947f0f021ee36aebf70a121461a6efbe333314a577bdefd894c390d68a82d72

Download Submit
memory/1324-71-0x0000000000000000-mapping.dmp

Download
memory/1336-208-0x0000000000000000-mapping.dmp

Download
memory/1620-137-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1620-162-0x00000000014E0000-0x00000000014FA000-memory.dmp

Filesize
104KB

Download
memory/1620-187-0x0000000003B10000-0x0000000003B5D000-memory.dmp

Filesize
308KB

Download
memory/1620-130-0x0000000001060000-0x000000000108A000-memory.dmp

Filesize
168KB

Download
memory/1620-174-0x0000000003D90000-0x0000000003DE6000-memory.dmp

Filesize
344KB

Download
memory/1620-142-0x00000000010E0000-0x00000000010F1000-memory.dmp

Filesize
68KB

Download
memory/1620-176-0x0000000004900000-0x000000000497D000-memory.dmp

Filesize
500KB

Download
memory/1620-163-0x00000000032C0000-0x0000000003372000-memory.dmp

Filesize
712KB

Download
memory/1620-185-0x0000000005C90000-0x0000000005D47000-memory.dmp

Filesize
732KB

Download
memory/1620-149-0x0000000001210000-0x0000000001222000-memory.dmp

Filesize
72KB

Download
memory/1620-160-0x0000000001330000-0x0000000001386000-memory.dmp

Filesize
344KB

Download
memory/1620-156-0x0000000003180000-0x00000000032BF000-memory.dmp

Filesize
1.2MB

Download
memory/1620-155-0x00000000010E0000-0x00000000010F1000-memory.dmp

Filesize
68KB

Download
memory/1620-154-0x00000000010E0000-0x00000000010F1000-memory.dmp

Filesize
68KB

Download
memory/1620-152-0x00000000010E0000-0x00000000010F1000-memory.dmp

Filesize
68KB

Download
memory/1620-117-0x0000000001030000-0x000000000105A000-memory.dmp

Filesize
168KB

Download
memory/1620-147-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/1620-215-0x00000000010E0000-0x00000000010F1000-memory.dmp

Filesize
68KB

Download
memory/1620-148-0x00000000010E0000-0x00000000010F1000-memory.dmp

Filesize
68KB

Download
memory/1708-63-0x0000000004AB0000-0x0000000004B2C000-memory.dmp

Filesize
496KB

Download
memory/1708-55-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1708-153-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-62-0x0000000004AB0000-0x0000000004B2C000-memory.dmp

Filesize
496KB

Download
memory/1708-197-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-61-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1708-60-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1752-78-0x0000000000000000-mapping.dmp

Download
memory/1772-182-0x00000000023F0000-0x000000000241A000-memory.dmp

Filesize
168KB

Download
memory/1772-198-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-180-0x00000000023C0000-0x00000000023EA000-memory.dmp

Filesize
168KB

Download
memory/1772-172-0x0000000000000000-mapping.dmp

Download
memory/1776-124-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-125-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-170-0x00000000024A0000-0x00000000024B1000-memory.dmp

Filesize
68KB

Download
memory/1776-168-0x0000000003D00000-0x0000000003F32000-memory.dmp

Filesize
2.2MB

Download
memory/1776-166-0x0000000003470000-0x0000000003CF8000-memory.dmp

Filesize
8.5MB

Download
memory/1776-165-0x00000000024E0000-0x0000000002623000-memory.dmp

Filesize
1.3MB

Download
memory/1776-133-0x00000000023D0000-0x00000000023FA000-memory.dmp

Filesize
168KB

Download
memory/1776-184-0x00000000024A0000-0x00000000024B1000-memory.dmp

Filesize
68KB

Download
memory/1776-127-0x00000000023A0000-0x00000000023CA000-memory.dmp

Filesize
168KB

Download
memory/1776-171-0x00000000024AF000-0x00000000024B4000-memory.dmp

Filesize
20KB

Download
memory/1776-189-0x0000000004780000-0x00000000048C8000-memory.dmp

Filesize
1.3MB

Download
memory/1776-191-0x00000000048D0000-0x0000000004911000-memory.dmp

Filesize
260KB

Download
memory/1776-193-0x0000000004BA0000-0x0000000004C57000-memory.dmp

Filesize
732KB

Download
memory/1776-195-0x0000000004DA0000-0x0000000004DF6000-memory.dmp

Filesize
344KB

Download
memory/1776-75-0x0000000000000000-mapping.dmp

Download
memory/2036-82-0x0000000000000000-mapping.dmp

Download
memory/2036-115-0x0000000002910000-0x0000000002A53000-memory.dmp

Filesize
1.3MB

Download
memory/2036-106-0x0000000002580000-0x000000000259A000-memory.dmp

Filesize
104KB

Download