fa941c8e6fadbd6cde8f65c2b4e7fd30ec02249f0baa4d05ed018eefe796b519

Analysis

max time kernel
78s
max time network
83s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-04-2023 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kaspersky.exe
Size

2.6MB
MD5

3071557264428b5f2ba67708401db241
SHA1

6709985adf590690fa23c2ed1558302d9a408cb5
SHA256

fa941c8e6fadbd6cde8f65c2b4e7fd30ec02249f0baa4d05ed018eefe796b519
SHA512

e3314fd377131510ccb3a140608b26fcbc023d9b636b0e96c0a7b19377883c792c62000ff15c1211b5f32470ed49492f3f85966869d904bae3dd1dbabc4863e7
SSDEEP

49152:Z47Nlau3ZjJvDrOV9Gcwb/alTe/iXMNLdcE/EBSDre/2jX87P:ZeNlau3lJOV9GvZbRDe/2z

Score

7^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

startup.exeTEST_WPF.EXE

pid process

2600 startup.exe
2792 TEST_WPF.EXE
Loads dropped DLL 3 IoCs

Processes:

kaspersky.exestartup.exeTEST_WPF.EXE

pid process

3480 kaspersky.exe
2600 startup.exe
2792 TEST_WPF.EXE

pid	process
2600	startup.exe
2792	TEST_WPF.EXE

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

Processes:

kaspersky.exestartup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\UseHR	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Anchor Underline	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\SmoothScroll	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Styles	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Print_Background	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Viewport	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\International\Scripts\3	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Move System Caret	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Videos	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Settings	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Styles	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Videos	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Text Scaling	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	startup.exe
Key queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Move System Caret	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kaspersky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Text Scaling	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\XMLHTTP	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\International	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\MenuExt	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main	kaspersky.exe
Key queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Print_Background	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\UseHR	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Anchor Underline	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\International\Scripts\3	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Larger Hit Test	kaspersky.exe
Key queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride	startup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main	kaspersky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\International\Scripts\4	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main	startup.exe
Key queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds	kaspersky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest	kaspersky.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Larger Hit Test	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\MenuExt	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images	startup.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

kaspersky.exestartup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kaspersky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	startup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

kaspersky.exe

description ioc process

File opened for modification \??\PhysicalDrive0 kaspersky.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

kaspersky.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN kaspersky.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	kaspersky.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	kaspersky.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

kaspersky.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	kaspersky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kaspersky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kaspersky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kaspersky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kaspersky.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

kaspersky.exestartup.exetaskmgr.exe

pid	process
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
2600	startup.exe
2600	startup.exe
980	taskmgr.exe
980	taskmgr.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	980	taskmgr.exe
Token: SeSystemProfilePrivilege	980	taskmgr.exe
Token: SeCreateGlobalPrivilege	980	taskmgr.exe
Token: 33	980	taskmgr.exe
Token: SeIncBasePriorityPrivilege	980	taskmgr.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

kaspersky.exetaskmgr.exestartup.exe

pid	process
3480	kaspersky.exe
3480	kaspersky.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
2600	startup.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

taskmgr.exe

pid	process
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

kaspersky.exestartup.exe

pid	process
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
3480	kaspersky.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe
2600	startup.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

kaspersky.exestartup.exe

description	pid	process	target process
PID 3480 wrote to memory of 2600	3480	kaspersky.exe	startup.exe
PID 3480 wrote to memory of 2600	3480	kaspersky.exe	startup.exe
PID 3480 wrote to memory of 2600	3480	kaspersky.exe	startup.exe
PID 3480 wrote to memory of 4168	3480	kaspersky.exe	kaspersky.exe
PID 3480 wrote to memory of 4168	3480	kaspersky.exe	kaspersky.exe
PID 3480 wrote to memory of 4168	3480	kaspersky.exe	kaspersky.exe
PID 2600 wrote to memory of 2792	2600	startup.exe	TEST_WPF.EXE
PID 2600 wrote to memory of 2792	2600	startup.exe	TEST_WPF.EXE
PID 2600 wrote to memory of 2792	2600	startup.exe	TEST_WPF.EXE

C:\Users\Admin\AppData\Local\Temp\kaspersky.exe
"C:\Users\Admin\AppData\Local\Temp\kaspersky.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_C7A149E1-D1A0-11ED-B673-76A232A3E020\startup.exe
"C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_C7A149E1-D1A0-11ED-B673-76A232A3E020\startup.exe" -auto_update_mode="C:\Users\Admin\AppData\Local\Temp\kaspersky.exe" /-self_remove -l=en -xpos=414 -ypos=74 -prevsetupver=21.3.10.391.0.21.0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\E59A9AF6-D1A0-11ED-B673-76A232A3E020\TEST_WPF.EXE
"C:\Users\Admin\AppData\Local\Temp\E59A9AF6-D1A0-11ED-B673-76A232A3E020\TEST_WPF.EXE" "C:\Users\Admin\AppData\Local\Temp\B13A42FC0A1DDE116B37672A233A0E02\setup.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792

C:\Users\Admin\AppData\Local\Temp\kaspersky.exe
"C:\Users\Admin\AppData\Local\Temp\kaspersky.exe" -cleanup="C:\Users\Admin\AppData\Local\Temp\DFAC2FAB0A1DDE116B37672A233A0E02;3480"
2⤵
PID:4168

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Security Software Discovery

T1063

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_C7A149E1-D1A0-11ED-B673-76A232A3E020\dynamic.ini
Filesize
98B

MD5
9b007615092ca05cd836941b21704327

SHA1
e5db62784fa97e5533b86e0ed0e6fdfba1ff28cf

SHA256
ace8998481ed3c8eb9ed444a681844993996ac16104b84b0524abffae30a61b2

SHA512
783a75dd5ea5405ed70f60887d88ba0beba7ff1b77b36c491ce9f4b015e1b961df92ec6615a8c5b1dba900a1a038390769856c9c70d58803bc9eed6b58309635

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_C7A149E1-D1A0-11ED-B673-76A232A3E020\startup.exe
Filesize
2.6MB

MD5
52c9f5d97af0e8d7345f51091dc905e6

SHA1
ebbf72c39d30654130c9bcde627abb33a22210ac

SHA256
1c44c2e745d5b0b9c16e26b04f062401426218fac5797c789ca9c02576e30617

SHA512
3a74a5fda0cf1758311f62c55d90474be91c057974bfd18637fd79754a0fe6551ceac80270845ff7377c41dc32cdf5ba37c7184c65ff6322101326359f6d8267

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_C7A149E1-D1A0-11ED-B673-76A232A3E020\startup.exe
Filesize
2.6MB

MD5
52c9f5d97af0e8d7345f51091dc905e6

SHA1
ebbf72c39d30654130c9bcde627abb33a22210ac

SHA256
1c44c2e745d5b0b9c16e26b04f062401426218fac5797c789ca9c02576e30617

SHA512
3a74a5fda0cf1758311f62c55d90474be91c057974bfd18637fd79754a0fe6551ceac80270845ff7377c41dc32cdf5ba37c7184c65ff6322101326359f6d8267

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_C7A149E1-D1A0-11ED-B673-76A232A3E020\startup.exe
Filesize
2.6MB

MD5
52c9f5d97af0e8d7345f51091dc905e6

SHA1
ebbf72c39d30654130c9bcde627abb33a22210ac

SHA256
1c44c2e745d5b0b9c16e26b04f062401426218fac5797c789ca9c02576e30617

SHA512
3a74a5fda0cf1758311f62c55d90474be91c057974bfd18637fd79754a0fe6551ceac80270845ff7377c41dc32cdf5ba37c7184c65ff6322101326359f6d8267

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_C7A149E1-D1A0-11ED-B673-76A232A3E020\static.ini
Filesize
5KB

MD5
806ad12413975ff4c47101b64b48216c

SHA1
992452c2ba300dc1f527eb5d2ac4b6395e9dd04c

SHA256
ed4d3ee2fd98ccb6192290b9091a6e26f6dd28d9f964c95dff644bc8bd4a904c

SHA512
28bcafbd627ac507fbea4f1ec02b01a05ff47ede9e365f088d46278c0c8ed4ccaf686ed08bd8570971966bc6ca88f562c4034661387c5456d5dbd8b648cde278

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\kdscrl.rdb.z
Filesize
4KB

MD5
27cdd49538b9a277f61c4fb751ec18af

SHA1
ca5999b462319a13135d6d9adf24233fdb0ad906

SHA256
ba4708e05497b63c511e92cb9e3a837ce499e09d653412918155072b41b8e630

SHA512
f9e10cd95820694010feb2f9769a5a50bd0723bf27659145752646084f38dbaf52602cbf36e46f863e0e6bd6163a94d9577c9913b69f1275a45ad3609b979083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
471B

MD5
5e1bdc1b52a7cb2808d186d90dffca07

SHA1
6e4e26f86558c08376dd916971246f3241b68af2

SHA256
7a5f46a4867ea1bd02e7ddf0c9ebeeee22c1cc908535656b4cd6a5eafd1fafc5

SHA512
a397cf2b87a8ac9aaa832ffe142320fbe314ba71cb7aefae678a525d6dc384db3ea1169383cb3eb4f21f8009be442f1a0e938c21ce80cc1602b6186541c50214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
434B

MD5
c7b641c2efe38f7347c53a7db2cd9ecf

SHA1
4babbe57a16305212ea849a1a0e738596b0dcd44

SHA256
60054dc8fb8a47309dee339e8b864c736084a1ce5f2ff30a8ffaffa1d54a123f

SHA512
f2b349b14f2fae77df7f430658ec33dcdd18d994c19ee86bae496faa9cb2f9a6a9ccc95fca4bb6e468960142da20e7cf4fc7ffbbdbaafc41b5e34b9ecc7b8f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CGIBCFQE.cookie
Filesize
105B

MD5
1a4dccd68388eb4d6e18aabe3c711ff7

SHA1
1be30b999deffcb93b531de239e92a3d1e00d335

SHA256
b89e8d06c745fdf0874ca03a95547e4e473f0c18f379e05ed1683df0c5253ed9

SHA512
ab811c481a99c4e8b9c9a127c0ea49f4e4012b3ca3fa7f1e3c3279dfce69073199e37cd22cf8eee6301f78d2c1cb1883d67a53463dcd20daa097d075c56229a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B13A42FC0A1DDE116B37672A233A0E02\setup.dll
Filesize
5.1MB

MD5
47bba658d9b8c74a8c94d7024ba608b6

SHA1
902be0a993f37db76eb5ad237aae5568c20bad95

SHA256
3279d6e132eb640cef3d74c5edf851a93e9553d7c889a6e665360058405af5f5

SHA512
8a8635083db6cc825cac63ca834cc1b1ec5412746db293f1bf44af5731265044c45108a54adf428e83111237c1f3e60f7dd048ec7066b655780145c80569a1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAF2CAFE-D1A0-11ED-B673-76A232A3E020\check_new_version.html
Filesize
1KB

MD5
b79ab8145423e4714f4d3623a7913eef

SHA1
0f17053bd76724cb244866c537de47ea6124331a

SHA256
59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe

SHA512
239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAF2CAFE-D1A0-11ED-B673-76A232A3E020\kis-loading.gif
Filesize
10KB

MD5
69d4b9b309bfa6a87f7620647bafd2d0

SHA1
c9f6bb4d6494bbd7a47d52874da43501afb97c6d

SHA256
f056164cf99799234c90e2318e90ab5d83d0fd855118224286ff0680ee455734

SHA512
2aa95fa187d24b4310af4e72a49c8fe665b84aa15ed33ca5b78a88da861554948d5fdb2f0b59ba8560b8c9dc1d4ff8cf5b37bdc1cbdb4fdf7a6e6fbe7e4f4b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAF2CAFE-D1A0-11ED-B673-76A232A3E020\kis-logo.png
Filesize
4KB

MD5
18f81892daa926fec1d30324b4cd9367

SHA1
0f0753271f09aecd6731c9dd998d15df5f967b7e

SHA256
681a96b96b5e0425fc74be929d29164528bf0bc0a84ac97952c011e407e23d9b

SHA512
5e07a3f44f6135291909680abb62e21d0c6bca899905aafa66cc3b436e77430a3ea96a95b54f2705e1f9dd49b60a855d986c4d76ea65dc9a9a5edf3d2748550d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\default_slide.html
Filesize
718B

MD5
f56557132c620da7a847248386f1651d

SHA1
3663505e61c38ea40a6675090d7d20893beac69b

SHA256
a0f3b6ba8cfc5513a7a812630fa941c9586f61851e0b387ff53538e31c58e62a

SHA512
981bda6eedb3a8171de8cd2a681036ab0ea39299423ff397f7027fbb611e5a24f5130eae28e1646fd86a8de997804c056a0eb651b37e194f740565a04e5b519f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\jquery-1.12.4.min.js
Filesize
94KB

MD5
618538b4ab9639d444e962729a927f15

SHA1
dacc1f76630a9708add066819b1aabf8dce01056

SHA256
27d92130c0321dad5a03760fd5ac98a3d04ed4c94d88418fe6d50da1f7fc5cbe

SHA512
bcb6754ea246939a19a917cc0b810e1753c1b0f1a8b1b7e652128ef15dee4fc79111e4d88fe12f9188449a307e82240d0261af402d783428edfe5785c860372d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\jquery.custom_select.min.js
Filesize
5KB

MD5
d2c620c462b75696eea1fb22fb23602a

SHA1
900f78eb8e1103be1535af5e76d1bed686cdcce3

SHA256
dd678d32073078552e0e2c35eed78f16cc8d6e8662d4734518561a1b183f775c

SHA512
40e1180b63b328c22cfacc40529cbda2409a54fbbbd5813fcc5f8dcdf95ad7fcd74ea96382e3a2d0bcfed9e68c208f7733b7c630edee7e2013c9a5459091c02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\kis-print.css
Filesize
306B

MD5
1304724dd5001b2600fc5bd80c098f1e

SHA1
87ec458c25a35e3a45c2a6ede9ec16ec4d4c7093

SHA256
2481b34b48fd96b194405da621e8e5f19142dcb55744f9c9a93591705cb697fd

SHA512
4371fbd6ba7e84ae827ec73bec4c903275e4373c16063b6fe63ca157a4db346df5617a9db5c9e1fdcb661f220f6dcbc1f7e4003805dba9fa7a279fc882aebeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\kis-script-lte-ie8.js
Filesize
1KB

MD5
5134186180074c51639d7a514919ed23

SHA1
23bddb16b3b6c3a687dfcfed5c1a6c23c0ed1f0a

SHA256
33e84b33ff911257e3a6a303c08a2cc178827dadb7dfd7c951e096866e02ad5e

SHA512
8ad216cee9192533801b0f10f3bc149506f75dfd2cd554e801e1732b474629435ada4549473176b5440c57c112986dd198dcf508fb0e55ed3a050a75b0fa3d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\kis-script.js
Filesize
306B

MD5
026425ccbf4417eefa444285707132ef

SHA1
a953b9f6781d4b6daa2eedc0c45d358f2a472370

SHA256
97e5f342227ea23c27c1b660f111847fcdd9d7b23c1d248c733a36f983fd7f04

SHA512
a266e2f9f10620347f0d05d081362086e81c67fb7c5f4a74c26cca54686f6afb2f2933b1f7afb6d9c96382ff4e4e3cf2f0f38cdd162175cdefccb5909b1aa6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\kis-style.css
Filesize
29KB

MD5
2b4bd0afd0e9dd5c90fb8c3bb4a5d619

SHA1
a4a1a61d43e8f897d36fef9e1927848de2d312cc

SHA256
f9963b403e053f6bfa7c87cad3c10dd55cf1f94fefe00c6380921440e28b48d2

SHA512
c0b284552502304f05dd10606e01b0d35210a27f982bba8a605f2939a2ac43890636175431eab99edc45cfc2825fe1b1cffabd8067d9eaa7ad59af466a052974

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\progress_page.html
Filesize
2KB

MD5
4420b72ebf4e4adccb24495cb1ea2ae3

SHA1
f1a568f03c4427631698f4b5b898910a5cccd1a2

SHA256
e6dc758016bdf87714eb1d3033d1618e6f8301b91e21c31c57b830ef056d7805

SHA512
b4fec7907069a1d73ccf8ae3796bb29d510826f4ec97a30495313aafa35b7a0dc022eb3576f87dde60d3b5320e6d936067f8f2c6f2f6dc0d9492a9c4d7b8fefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\welcome_page_kavkis.html
Filesize
2KB

MD5
725363d5b886e02f1c5476f79590b577

SHA1
be2e4e60b62c8705443972015a86a23c7ec4bd50

SHA256
29f0688682087bc5262f8abb97d0804a1fc8a7ff16685c24b6197e61cc1a6401

SHA512
eeabe64d4828c5633fb687c72d75b3524f62b9a4a912b3fb36d280e0c32e7d79fe12f92e8bb962ccbe10a1770016ac108d853b5046089316d25d7e2d6bf39413

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF24A31C-D1A0-11ED-B673-76A232A3E020\welcome_page_ready_for_install.html
Filesize
2KB

MD5
980ba4502a2013faf926940ab9a607b0

SHA1
cbf9b99cdf4323513eb614f77afc44e9005eeb27

SHA256
16082956bc9dc994c093542d2d7148c31d950beeeedee2ba499aa09d843039d2

SHA512
ae4c7ab6a399433eda880a702f8a0b4f1e82fa3bd1d6da1db9bc90b4acaad80dc9bc85655211d3aad8dd496096267122420ce049a99b6c5cddedfe826f176bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFAC2FAB0A1DDE116B37672A233A0E02\setup.dll
Filesize
5.1MB

MD5
7c0418acfb24086ede591a7e1d3df7ac

SHA1
9bee27188d04bf44fa2e95a8fcb575497396f2b0

SHA256
d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a

SHA512
e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E59A9AF6-D1A0-11ED-B673-76A232A3E020\TEST_WPF.EXE
Filesize
30KB

MD5
ff5a0f886248cf3a78fad8d2059f6ecb

SHA1
1dd9929259e6ef818482bc775936a57e2e1edfbf

SHA256
f9e1bf7cb669adcb4c0ff1096376d27c6e1729fd253990078f721961cbcce794

SHA512
c8b8b12f3351980346fd3ed017233a93816f7cd505077d7403627330c7080f17b691bd69fb81061018685ca32f0b8dc6352beba6bd312a32e65c98e74aebfb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\E59A9AF6-D1A0-11ED-B673-76A232A3E020\TEST_WPF.EXE
Filesize
30KB

MD5
ff5a0f886248cf3a78fad8d2059f6ecb

SHA1
1dd9929259e6ef818482bc775936a57e2e1edfbf

SHA256
f9e1bf7cb669adcb4c0ff1096376d27c6e1729fd253990078f721961cbcce794

SHA512
c8b8b12f3351980346fd3ed017233a93816f7cd505077d7403627330c7080f17b691bd69fb81061018685ca32f0b8dc6352beba6bd312a32e65c98e74aebfb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\E59A9AF6-D1A0-11ED-B673-76A232A3E020\TEST_WPF.EXE.config
Filesize
215B

MD5
291d5cf5b0752c78eaefa2c1d099cdd6

SHA1
39d2c6a4ac22c219de3bf7e44733e4d02e4a08d8

SHA256
8a09e9d24204a2e4dcbb2ace67e06e7a04934fa7b1741579aa2ccddc3eeb7a8d

SHA512
0b10053abfdbc49a35191ad7e8e73bee0550ef50fb1cd5fe368e3e21260e948d91521e74e6a7ad31547aa4ab3d157ce8a17ad60632e0e27c82436bcb0da15c34

Download Submit
\Users\Admin\AppData\Local\Temp\B13A42FC0A1DDE116B37672A233A0E02\setup.dll
Filesize
5.1MB

MD5
47bba658d9b8c74a8c94d7024ba608b6

SHA1
902be0a993f37db76eb5ad237aae5568c20bad95

SHA256
3279d6e132eb640cef3d74c5edf851a93e9553d7c889a6e665360058405af5f5

SHA512
8a8635083db6cc825cac63ca834cc1b1ec5412746db293f1bf44af5731265044c45108a54adf428e83111237c1f3e60f7dd048ec7066b655780145c80569a1e0

Download Submit
\Users\Admin\AppData\Local\Temp\B13A42FC0A1DDE116B37672A233A0E02\setup.dll
Filesize
5.1MB

MD5
47bba658d9b8c74a8c94d7024ba608b6

SHA1
902be0a993f37db76eb5ad237aae5568c20bad95

SHA256
3279d6e132eb640cef3d74c5edf851a93e9553d7c889a6e665360058405af5f5

SHA512
8a8635083db6cc825cac63ca834cc1b1ec5412746db293f1bf44af5731265044c45108a54adf428e83111237c1f3e60f7dd048ec7066b655780145c80569a1e0

Download Submit
\Users\Admin\AppData\Local\Temp\DFAC2FAB0A1DDE116B37672A233A0E02\setup.dll
Filesize
5.1MB

MD5
7c0418acfb24086ede591a7e1d3df7ac

SHA1
9bee27188d04bf44fa2e95a8fcb575497396f2b0

SHA256
d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a

SHA512
e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

Download Submit
memory/2600-182-0x0000000077F90000-0x0000000077FA0000-memory.dmp

Filesize
64KB

Download
memory/2600-181-0x0000000077F90000-0x0000000077FA0000-memory.dmp

Filesize
64KB

Download
memory/2600-180-0x0000000077F90000-0x0000000077FA0000-memory.dmp

Filesize
64KB

Download
memory/2792-453-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-443-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-487-0x0000000007A20000-0x0000000007A2E000-memory.dmp

Filesize
56KB

Download
memory/2792-486-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/2792-405-0x00000000055E0000-0x0000000005B42000-memory.dmp

Filesize
5.4MB

Download
memory/2792-409-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2792-485-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/2792-413-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-412-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-415-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-416-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-414-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-484-0x0000000007730000-0x0000000007770000-memory.dmp

Filesize
256KB

Download
memory/2792-417-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-419-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-418-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-420-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-421-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-422-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-423-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-425-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-426-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-424-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-428-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-430-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-431-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-432-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-429-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-433-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-434-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-435-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-437-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-438-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-439-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-440-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-441-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-442-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-483-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/2792-444-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-445-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-446-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-447-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-448-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-450-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-451-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-449-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-452-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-454-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-482-0x0000000006140000-0x0000000006178000-memory.dmp

Filesize
224KB

Download
memory/2792-455-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-457-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-456-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-458-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-459-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-460-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-461-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-462-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-463-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-464-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-466-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-467-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-465-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-468-0x0000000077F70000-0x0000000077F80000-memory.dmp

Filesize
64KB

Download
memory/2792-475-0x0000000005B50000-0x0000000005EC7000-memory.dmp

Filesize
3.5MB

Download
memory/2792-476-0x00000000052F0000-0x000000000542C000-memory.dmp

Filesize
1.2MB

Download
memory/2792-477-0x00000000064D0000-0x0000000006AC4000-memory.dmp

Filesize
6.0MB

Download
memory/2792-478-0x0000000006AD0000-0x0000000006E34000-memory.dmp

Filesize
3.4MB

Download
memory/2792-479-0x0000000005ED0000-0x0000000005F6C000-memory.dmp

Filesize
624KB

Download
memory/2792-480-0x0000000005550000-0x00000000055B4000-memory.dmp

Filesize
400KB

Download
memory/2792-481-0x0000000006200000-0x000000000648C000-memory.dmp

Filesize
2.5MB

Download
memory/3480-117-0x0000000077F80000-0x0000000077F90000-memory.dmp

Filesize
64KB

Download
memory/3480-118-0x0000000077F80000-0x0000000077F90000-memory.dmp

Filesize
64KB

Download
memory/3480-119-0x0000000077F80000-0x0000000077F90000-memory.dmp

Filesize
64KB

Download
memory/4168-342-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/4168-340-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/4168-341-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download