bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c

Analysis

max time kernel
172s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.exe
Size

900KB
MD5

4fe259d349ed6b93149954dc8d6817ed
SHA1

a562d9fdd1e40284c115c3490c425826611e16cf
SHA256

bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c
SHA512

71ea77331f32cebb0c0e9b72a4aed00a2156019588606f5849004c2102ed323561682bcd544d88f2a2315785499ebef371404a230e58a184c710917fb03d3839
SSDEEP

24576:FHLZyRCNiSMGrr+LV5DmaKykyWaq2rViK9xdfubC661S0C0xytR:qRCVMiOma7vVVfujuCJR

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
3912	KAV_97_10.exe
4996	kav_down.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp

Loads dropped DLL 7 IoCs

pid	Process
452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
4996	kav_down.exe
4996	kav_down.exe
4996	kav_down.exe
4996	kav_down.exe
4996	kav_down.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6060f2f4-83a7-4cb3-9341-d873bbfdfe9a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221206181454.pma	setup.exe
File opened for modification	C:\Program Files (x86)\softguid\unins000.dat	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Program Files (x86)\softguid\is-APOLN.tmp	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File opened for modification	C:\Program Files (x86)\softguid\is-APOLN.tmp	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Program Files (x86)\softguid\is-SOTBQ.tmp	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Program Files (x86)\softguid\is-7S8VH.tmp	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File opened for modification	C:\Program Files (x86)\Common Files\nsklog	kav_down.exe
File opened for modification	C:\Program Files (x86)\Common Files\nsklog\kingsoftinst.txt	kav_down.exe
File created	C:\Program Files (x86)\softguid\unins000.dat	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\CSIDLCOMMONS\serverID.txt	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\crucc.lnk	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File opened for modification	C:\Windows\CSIDLCOMMONS\Install.tmp	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\infofile.tmp	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\ppc.exe	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\rd.txt	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\taobao.ico	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\ttf.exe	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\ync.exe	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\Install.tmp	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\Config.ini	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\crucc.ccru	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
File created	C:\Windows\CSIDLCOMMONS\KAV_97_10.exe	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022ed1-167.dat	nsis_installer_1
behavioral2/files/0x0006000000022ed1-167.dat	nsis_installer_2
behavioral2/files/0x0006000000022ed1-168.dat	nsis_installer_1
behavioral2/files/0x0006000000022ed1-168.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 59 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	KAV_97_10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ccru\Shell\Open\Command\ = "\"Rundll32.exe\" \"C:\\Program Files (x86)\\softguid\\InstallDll.dll\" Inrunu"	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	KAV_97_10.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{40381D51-F162-41a9-BE67-0851A3B02091}	kav_down.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ccru\Shell\Open\Command	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5c003100000000000c55b69a14204d4943524f537e310000440009000400efbe874fdb498655a1912e000000510500000000010000000000000000000000000000007cf05b004d006900630072006f0073006f0066007400000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ccru\Shell	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	KAV_97_10.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 60003100000000000c55349b122050524f4752417e330000480009000400efbe874fdb498655a1912e000000500500000000010000000000000000000000000000005be86b00500072006f006700720061006d004400610074006100000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 82003100000000000c55499b112050726f6772616d7300006a0009000400efbe874fdb498655a1912e0000009e0500000000010000000000000000004000000000008f392c00500072006f006700720061006d007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003200000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	KAV_97_10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40381D51-F162-41a9-BE67-0851A3B02091}\state = "3"	kav_down.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ccru\Shell\Open	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ccru\DefaultIcon	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000c55eb98102057696e646f777300400009000400efbe874fdb498655a1912e000000820500000000010000000000000000000000000000008d278000570069006e0064006f0077007300000016000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ccru	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ccru\Shell\Open\	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "d943cc7ab558a18d4e393bcc138fd552"	KAV_97_10.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40381D51-F162-41a9-BE67-0851A3B02091}\KisPath	kav_down.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ccru	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 7e00310000000000874fdc4911205374617274557000680009000400efbe874fdb490c5523a22e000000a40500000000010000000000000000003e0000000000d33df2005300740061007200740055007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003700000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 8600310000000000874fdc49112053544152544d7e3100006e0009000400efbe874fdb498655a1912e0000009d050000000001000000000000000000440000000000581df5005300740061007200740020004d0065006e007500000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003600000018000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ccru\ = "ccru"	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	KAV_97_10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	KAV_97_10.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40381D51-F162-41a9-BE67-0851A3B02091}\KisErrors = "3"	kav_down.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	KAV_97_10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	KAV_97_10.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3152	explorer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2232	msedge.exe
2232	msedge.exe
4876	msedge.exe
4876	msedge.exe
3492	identity_helper.exe
3492	identity_helper.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3152	explorer.exe
3152	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 452	1728	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.exe	79
PID 1728 wrote to memory of 452	1728	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.exe	79
PID 1728 wrote to memory of 452	1728	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.exe	79
PID 452 wrote to memory of 3636	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	80
PID 452 wrote to memory of 3636	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	80
PID 452 wrote to memory of 3636	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	80
PID 452 wrote to memory of 4876	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	84
PID 452 wrote to memory of 4876	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	84
PID 452 wrote to memory of 3912	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	85
PID 452 wrote to memory of 3912	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	85
PID 452 wrote to memory of 3912	452	bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp	85
PID 4876 wrote to memory of 808	4876	msedge.exe	87
PID 4876 wrote to memory of 808	4876	msedge.exe	87
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 5012	4876	msedge.exe	90
PID 4876 wrote to memory of 2232	4876	msedge.exe	91
PID 4876 wrote to memory of 2232	4876	msedge.exe	91
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92
PID 4876 wrote to memory of 4984	4876	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.exe
"C:\Users\Admin\AppData\Local\Temp\bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\is-AO9SP.tmp\bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AO9SP.tmp\bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp" /SL5="$401CA,672580,51712,C:\Users\Admin\AppData\Local\Temp\bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
    3⤵
    PID:3636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.si44.com/
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa083546f8,0x7ffa08354708,0x7ffa08354718
      4⤵
      PID:808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
      4⤵
      PID:5012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:3696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:2248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 /prefetch:8
      4⤵
      PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
      4⤵
      PID:4184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
      4⤵
      PID:2448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5828 /prefetch:8
      4⤵
      PID:1540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
      4⤵
      PID:1412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6412f5460,0x7ff6412f5470,0x7ff6412f5480
        5⤵
        
        PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6525329805066532765,158125392235542110,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2640 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4388
- - C:\Windows\CSIDLCOMMONS\KAV_97_10.exe
    "C:\Windows\CSIDLCOMMONS\KAV_97_10.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Modifies system certificate store
    PID:3912
  - - \??\c:\programdata\kingsoft\kis\OnlineInstall\Kav\opkg\kav_down.exe
      "c:\programdata\kingsoft\kis\OnlineInstall\Kav\opkg\kav_down.exe" -PARTNER=O_KIS_97.10 /versiontypes=184549376 /productid=6357002 /iid=186849934 /tid=3B8C47C49D270037B9B66BCCA68D81500FCB72B138719798FE896DF8BE09569730D16BB61BF2944B33533E5003E2B2392E79E26A812404438A55C7752FD84D84 /oemdircommon=c:\programdata\kingsoft\kis\OnlineInstall\0x00000000\duba_common /tod=97.10 /Dkav /customize=0 /S /Duuid=202212061813048720FEB3ECA /D=C:\Program Files (x86)\Kingsoft\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      PID:4996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kingsoft\kis\OnlineInstall\Kav\opkg\kav_down.exe

Filesize
28.8MB

MD5
2f82a626e189e3ee203c23954586cba9

SHA1
e8e42be1a2d64cfc02f1890547c0ca1595c59764

SHA256
c789f3686074617e1c909dfa6f93f472e494833c254a2eadb5ba948096412ce7

SHA512
3ec51ff75869c772431499d989ff7dd34cc70b9d1f56e41f5ca2d8be33ab0a2e5d3a536cb78e59f272977084a2a3a4f411a8b4bf0c2fd59c05d010b681748eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AO9SP.tmp\bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp

Filesize
705KB

MD5
eb494bad9478bc28c4f8fb7fd7778445

SHA1
1b3e504108b39c6978e737e08d4cbd2c22d95e86

SHA256
e1af346595829eba017ec343cb179dd217b7991fb322cc4e8f18bf40ef8f941d

SHA512
8b14a9c14185d5afaba7443bf43cf14371ef3c3d524de00ba850f07952d1d18abdc62118cc4893ed2fa66570eb4098d01ba338f0cc00ae19be7bb697dc8d9f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AO9SP.tmp\bedfd3e677713b2524c7b73a3ce6ebadcea03ce0617d6a0e4e323cdf6cdf5f5c.tmp

Filesize
705KB

MD5
eb494bad9478bc28c4f8fb7fd7778445

SHA1
1b3e504108b39c6978e737e08d4cbd2c22d95e86

SHA256
e1af346595829eba017ec343cb179dd217b7991fb322cc4e8f18bf40ef8f941d

SHA512
8b14a9c14185d5afaba7443bf43cf14371ef3c3d524de00ba850f07952d1d18abdc62118cc4893ed2fa66570eb4098d01ba338f0cc00ae19be7bb697dc8d9f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P8F8I.tmp\InstallDll.dll

Filesize
419KB

MD5
1a0f40eaceb77bda3007955721726d5e

SHA1
3c5b7e2f6e297c0343279e76905603b07374efd1

SHA256
514ae15bdd10b4679c08e28b12551218b057b1c6699e0db22738646294d18d69

SHA512
f903b931f7c719e0cd3fda3525375665a717bc2718d9a10b931a466b883140ffc085e7af6a71fedb4c0c303fd02de4f39a5897deb61c3f5b28fa8eef224ec943

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P8F8I.tmp\InstallDll.dll

Filesize
419KB

MD5
1a0f40eaceb77bda3007955721726d5e

SHA1
3c5b7e2f6e297c0343279e76905603b07374efd1

SHA256
514ae15bdd10b4679c08e28b12551218b057b1c6699e0db22738646294d18d69

SHA512
f903b931f7c719e0cd3fda3525375665a717bc2718d9a10b931a466b883140ffc085e7af6a71fedb4c0c303fd02de4f39a5897deb61c3f5b28fa8eef224ec943

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn278A.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn278A.tmp\ksiext.dll

Filesize
1009KB

MD5
335327c9d1e299ade4b7362ef60749d8

SHA1
83d4c646292e4194f0264f8427f61a7a7dfc3d9c

SHA256
7e6d2edb22bd9e7e4e826e3a6cbf7379285cdcc46045c8e4375b469b8f677a47

SHA512
f4e8dc14f39fd32420b389a1dddb7344507d16b82d5e15ffc85edff6ccac088a68a05ac60858a5f7b6aa7b32b1c33b211523d0936dc133228a7833ced921e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn278A.tmp\ksiext.dll

Filesize
1009KB

MD5
335327c9d1e299ade4b7362ef60749d8

SHA1
83d4c646292e4194f0264f8427f61a7a7dfc3d9c

SHA256
7e6d2edb22bd9e7e4e826e3a6cbf7379285cdcc46045c8e4375b469b8f677a47

SHA512
f4e8dc14f39fd32420b389a1dddb7344507d16b82d5e15ffc85edff6ccac088a68a05ac60858a5f7b6aa7b32b1c33b211523d0936dc133228a7833ced921e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn278A.tmp\ksiext.dll

Filesize
1009KB

MD5
335327c9d1e299ade4b7362ef60749d8

SHA1
83d4c646292e4194f0264f8427f61a7a7dfc3d9c

SHA256
7e6d2edb22bd9e7e4e826e3a6cbf7379285cdcc46045c8e4375b469b8f677a47

SHA512
f4e8dc14f39fd32420b389a1dddb7344507d16b82d5e15ffc85edff6ccac088a68a05ac60858a5f7b6aa7b32b1c33b211523d0936dc133228a7833ced921e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn278A.tmp\ksiext.dll

Filesize
1009KB

MD5
335327c9d1e299ade4b7362ef60749d8

SHA1
83d4c646292e4194f0264f8427f61a7a7dfc3d9c

SHA256
7e6d2edb22bd9e7e4e826e3a6cbf7379285cdcc46045c8e4375b469b8f677a47

SHA512
f4e8dc14f39fd32420b389a1dddb7344507d16b82d5e15ffc85edff6ccac088a68a05ac60858a5f7b6aa7b32b1c33b211523d0936dc133228a7833ced921e83e

Download Submit
C:\Windows\CSIDLCOMMONS\KAV_97_10.exe

Filesize
677KB

MD5
e473d4d66d043c5ef07b1bc80af31e27

SHA1
3b33cbc5fda3ded92434f450fbdf34c9da11f541

SHA256
f7108dcf904c5256d8904ac2f9bc8cbd1e545dace38b4cf0210d9c3b7f10c919

SHA512
4f3be6f4c3ee89d8e13928ddf22edfc09c55b1a0149b8c50d4aa1999183d33ba9273dc6c26a620b40954391972f91381a7d73bc3d1eeaa8e414f232bb20b7ba9

Download Submit
C:\Windows\CSIDLCOMMONS\KAV_97_10.exe

Filesize
677KB

MD5
e473d4d66d043c5ef07b1bc80af31e27

SHA1
3b33cbc5fda3ded92434f450fbdf34c9da11f541

SHA256
f7108dcf904c5256d8904ac2f9bc8cbd1e545dace38b4cf0210d9c3b7f10c919

SHA512
4f3be6f4c3ee89d8e13928ddf22edfc09c55b1a0149b8c50d4aa1999183d33ba9273dc6c26a620b40954391972f91381a7d73bc3d1eeaa8e414f232bb20b7ba9

Download Submit
\??\c:\programdata\kingsoft\kis\OnlineInstall\Kav\opkg\kav_down.exe

Filesize
28.8MB

MD5
2f82a626e189e3ee203c23954586cba9

SHA1
e8e42be1a2d64cfc02f1890547c0ca1595c59764

SHA256
c789f3686074617e1c909dfa6f93f472e494833c254a2eadb5ba948096412ce7

SHA512
3ec51ff75869c772431499d989ff7dd34cc70b9d1f56e41f5ca2d8be33ab0a2e5d3a536cb78e59f272977084a2a3a4f411a8b4bf0c2fd59c05d010b681748eb8

Download Submit
\??\pipe\LOCAL\crashpad_4876_ALLLGZFYZJKLJCZR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/452-140-0x0000000003A10000-0x0000000003A7F000-memory.dmp

Filesize
444KB

Download
memory/452-134-0x0000000000000000-mapping.dmp

Download
memory/808-146-0x0000000000000000-mapping.dmp

Download
memory/1540-165-0x0000000000000000-mapping.dmp

Download
memory/1728-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1728-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1728-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2232-150-0x0000000000000000-mapping.dmp

Download
memory/2248-157-0x0000000000000000-mapping.dmp

Download
memory/2448-163-0x0000000000000000-mapping.dmp

Download
memory/2564-174-0x0000000000000000-mapping.dmp

Download
memory/3492-180-0x0000000000000000-mapping.dmp

Download
memory/3636-141-0x0000000000000000-mapping.dmp

Download
memory/3696-155-0x0000000000000000-mapping.dmp

Download
memory/3912-143-0x0000000000000000-mapping.dmp

Download
memory/4184-161-0x0000000000000000-mapping.dmp

Download
memory/4336-179-0x0000000000000000-mapping.dmp

Download
memory/4388-181-0x0000000000000000-mapping.dmp

Download
memory/4832-159-0x0000000000000000-mapping.dmp

Download
memory/4876-142-0x0000000000000000-mapping.dmp

Download
memory/4984-153-0x0000000000000000-mapping.dmp

Download
memory/4996-172-0x0000000004B30000-0x0000000004C2D000-memory.dmp

Filesize
1012KB

Download
memory/4996-166-0x0000000000000000-mapping.dmp

Download
memory/5012-149-0x0000000000000000-mapping.dmp

Download