Analysis
-
max time kernel
452s -
max time network
417s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 02:42
Behavioral task
behavioral1
Sample
kav_setup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
kav_setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20240508-en
General
-
Target
kav_setup.exe
-
Size
13.6MB
-
MD5
4b80eaf2288aa715354cfc42e87f6a55
-
SHA1
2b2227c1135fde2f277eec549faecc57020d6947
-
SHA256
bdf40bbc008ab151db86ace1b8c2385b8eed742031db4277c4f29ce164995294
-
SHA512
c51dd779628703e555609768cdcf36b145a67bdb9602f62917dd6162f99560e333fddcfce80f41b9865af2d0fe11242e048ea869080f71f5c8d357ed77d9b4f5
-
SSDEEP
393216:c/XADqwibq/RIYuUniCRX1mezmAHy5+DIW4scYMMDIknl5:cGA8Ib86AG+DIW6szl5
Malware Config
Signatures
-
Drops file in Drivers directory 15 IoCs
description ioc Process File created C:\Windows\system32\drivers\ksapi.sys kav_setup.exe File created C:\Windows\system32\drivers\kusbquery.sys kav_setup.exe File created C:\Windows\system32\drivers\kusbquery64.sys kav_setup.exe File created C:\Windows\system32\drivers\kdhacker.sys kav_setup.exe File created C:\Windows\system32\drivers\ksskrpr.sys kav_setup.exe File opened for modification C:\Windows\system32\drivers\kavbootc64.sys kdrvmgr.exe File opened for modification C:\Windows\system32\drivers\kisknl.sys kxescore.exe File created C:\Windows\system32\drivers\kavbootc64.sys kav_setup.exe File opened for modification C:\Windows\SysWOW64\drivers\kisknl.sys kxescore.exe File created C:\Windows\system32\drivers\bc.sys kav_setup.exe File created C:\Windows\system32\drivers\kavbootc.sys kav_setup.exe File created C:\Windows\system32\drivers\kisknl.sys kav_setup.exe File created C:\Windows\system32\drivers\kisknl64.sys kav_setup.exe File created C:\Windows\system32\drivers\kdhacker64.sys kav_setup.exe File opened for modification C:\Windows\system32\drivers\kavbootc64.sys kdrvmgr.exe -
Sets file execution options in registry 2 TTPs 28 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe kav_setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe kav_setup.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KDHacker\ImagePath = "\\??\\c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\security\\kxescan\\kdhacker64.sys" kxescore.exe -
Executes dropped EXE 13 IoCs
pid Process 2784 kxetray.exe 2392 kxescore.exe 2688 kavlog2.exe 2748 vulfix.exe 1108 kxescore.exe 2744 kdrvmgr.exe 620 kislive.exe 2204 kxetray.exe 2580 kscan.exe 1516 kdrvmgr.exe 1456 kislive.exe 2932 kxetray.exe 2976 kupdata.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2400 kav_setup.exe 2784 kxetray.exe 2784 kxetray.exe 2688 kavlog2.exe 2688 kavlog2.exe 2688 kavlog2.exe 2688 kavlog2.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2392 kxescore.exe 2392 kxescore.exe 2392 kxescore.exe 2392 kxescore.exe 2392 kxescore.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2748 vulfix.exe 2748 vulfix.exe 2748 vulfix.exe 2748 vulfix.exe 2748 vulfix.exe 2748 vulfix.exe 1108 kxescore.exe 1108 kxescore.exe 2784 kxetray.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 2748 vulfix.exe 2748 vulfix.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32 kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll" kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment" kav_setup.exe -
resource yara_rule behavioral1/memory/2400-0-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2400-77-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2400-731-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2400-845-0x0000000000400000-0x0000000000515000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun" kav_setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini kav_setup.exe File opened for modification \??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini kav_setup.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: kxescore.exe File opened (read-only) \??\x: kxescore.exe File opened (read-only) \??\m: kscan.exe File opened (read-only) \??\v: kscan.exe File opened (read-only) \??\z: kscan.exe File opened (read-only) \??\F: kxetray.exe File opened (read-only) \??\k: kscan.exe File opened (read-only) \??\S: kscan.exe File opened (read-only) \??\u: kxescore.exe File opened (read-only) \??\w: kxescore.exe File opened (read-only) \??\y: kxescore.exe File opened (read-only) \??\a: kscan.exe File opened (read-only) \??\V: kscan.exe File opened (read-only) \??\g: kxescore.exe File opened (read-only) \??\l: kxescore.exe File opened (read-only) \??\y: kscan.exe File opened (read-only) \??\Q: kscan.exe File opened (read-only) \??\U: kscan.exe File opened (read-only) \??\W: kscan.exe File opened (read-only) \??\h: kscan.exe File opened (read-only) \??\T: kscan.exe File opened (read-only) \??\b: kscan.exe File opened (read-only) \??\P: kscan.exe File opened (read-only) \??\A: kscan.exe File opened (read-only) \??\B: kscan.exe File opened (read-only) \??\e: kxescore.exe File opened (read-only) \??\j: kxescore.exe File opened (read-only) \??\s: kscan.exe File opened (read-only) \??\N: kscan.exe File opened (read-only) \??\t: kxescore.exe File opened (read-only) \??\z: kxescore.exe File opened (read-only) \??\G: kscan.exe File opened (read-only) \??\X: kscan.exe File opened (read-only) \??\r: kxescore.exe File opened (read-only) \??\s: kxescore.exe File opened (read-only) \??\q: kscan.exe File opened (read-only) \??\l: kscan.exe File opened (read-only) \??\p: kscan.exe File opened (read-only) \??\r: kscan.exe File opened (read-only) \??\K: kscan.exe File opened (read-only) \??\Y: kscan.exe File opened (read-only) \??\i: kscan.exe File opened (read-only) \??\x: kscan.exe File opened (read-only) \??\R: kscan.exe File opened (read-only) \??\m: kxescore.exe File opened (read-only) \??\e: kscan.exe File opened (read-only) \??\u: kscan.exe File opened (read-only) \??\v: kxescore.exe File opened (read-only) \??\j: kscan.exe File opened (read-only) \??\I: kscan.exe File opened (read-only) \??\t: kscan.exe File opened (read-only) \??\w: kscan.exe File opened (read-only) \??\q: kxescore.exe File opened (read-only) \??\n: kscan.exe File opened (read-only) \??\E: kscan.exe File opened (read-only) \??\H: kscan.exe File opened (read-only) \??\a: kxescore.exe File opened (read-only) \??\p: kxescore.exe File opened (read-only) \??\g: kscan.exe File opened (read-only) \??\o: kscan.exe File opened (read-only) \??\J: kscan.exe File opened (read-only) \??\L: kscan.exe File opened (read-only) \??\M: kscan.exe File opened (read-only) \??\O: kscan.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 kscan.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\KAVEventLog.EVT kavlog2.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kscanner.dll kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseset.ktp kxescore.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kws_init.log kxescore.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\khackwall\1004.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\530.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\44.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\238.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\lpolicy.dat kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kdefendpop\31019.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\20027.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\155.xml kav_setup.exe File opened for modification \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.ini kxetray.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\77.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\uninst\105.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\105.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\100.bmp kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kxeutilcfg.ini kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.ini kav_setup.exe File opened for modification \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksreng3.dll.log kscan.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\89.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\60509.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\103.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\khandler.dat kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.dll kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kws\icon\commentbt.gif kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\122.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\85.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ifrcfg.xml kav_setup.exe File opened for modification \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscanner.dll.log kscan.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kupdata.exe kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\88.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\59.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\132.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\vinfo.ini kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopsvr.dll kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswbc.dll kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.dll kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kws\icon\kwsupicon1.gif kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\137.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\154.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisdcom.dll kav_setup.exe File opened for modification \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\camera.krf kxescore.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\unknown.fsg kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\defendmon.dll kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\defendmon\20026.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\116.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\121.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\39.bmp kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kusbquery64.sys kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\khackwall\20000.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\104.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kpopsvr\60001.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\4.bmp kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\75.bmp kav_setup.exe File opened for modification \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\bkrsdb.dat kxescore.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\defendmon\113.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\khackwall\100.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\1030.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\313.png kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\110.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\115.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\125.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\153.xml kav_setup.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\defendmon\20116.bmp kav_setup.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log vulfix.exe File opened for modification C:\Windows\SysWOW64 kxescore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kxetray.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz kxetray.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString kxetray.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 kxetray.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 kxetray.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6 kxetray.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kxetray.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 kxetray.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz kxetray.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4 kxetray.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5 kxetray.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7 kxetray.exe -
Modifies registry class 54 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe kscan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe\ext = "1" kscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kxescore.exe kxescore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1172D735-4377-458d-B1BA-075ED5DC08BC} kxetray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32 kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dubaskin\ = "dubaskinfile" kxetray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "145e4953120df8a3577846ff3d514a7c" kxescore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dubaskin kxetray.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "145e4953120df8a3577846ff3d514a7c" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} kscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell kxetray.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell\open kxetray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4} kxescore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} kxescore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile kxetray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\DefaultIcon\ = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\data\\skin\\dubaskin.ico\"" kxetray.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment" kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69515E2E-C4E5-4c55-BF5F-7E7C59EA2158} kscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell\open\command kxetray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll" kav_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kxescore.exe\config = "1" kxescore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment" kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell\open\command\ = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kismain.exe\" /skin:\"%1\"" kxetray.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID kxescore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe\file = "1" kscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" kav_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32 kav_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe\config = "1" kscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node kxescore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit kav_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" kxescore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\DefaultIcon kxetray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0" kav_setup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 2580 kscan.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 1108 kxescore.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2784 kxetray.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2400 kav_setup.exe Token: SeDebugPrivilege 1108 kxescore.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeUndockPrivilege 2784 kxetray.exe Token: SeLoadDriverPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 620 kislive.exe Token: SeDebugPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeDebugPrivilege 1456 kislive.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeCreateTokenPrivilege 2580 kscan.exe Token: SeDebugPrivilege 2580 kscan.exe Token: SeRestorePrivilege 2400 kav_setup.exe Token: SeBackupPrivilege 2400 kav_setup.exe Token: 33 1108 kxescore.exe Token: SeIncBasePriorityPrivilege 1108 kxescore.exe Token: 33 2784 kxetray.exe Token: SeIncBasePriorityPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe Token: SeDebugPrivilege 2784 kxetray.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 2784 kxetray.exe 620 kislive.exe 1456 kislive.exe 2784 kxetray.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2784 kxetray.exe 2784 kxetray.exe 620 kislive.exe 1456 kislive.exe 2784 kxetray.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2784 kxetray.exe 2784 kxetray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2784 2400 kav_setup.exe 29 PID 2400 wrote to memory of 2784 2400 kav_setup.exe 29 PID 2400 wrote to memory of 2784 2400 kav_setup.exe 29 PID 2400 wrote to memory of 2784 2400 kav_setup.exe 29 PID 2400 wrote to memory of 2784 2400 kav_setup.exe 29 PID 2400 wrote to memory of 2784 2400 kav_setup.exe 29 PID 2400 wrote to memory of 2784 2400 kav_setup.exe 29 PID 2400 wrote to memory of 2688 2400 kav_setup.exe 30 PID 2400 wrote to memory of 2688 2400 kav_setup.exe 30 PID 2400 wrote to memory of 2688 2400 kav_setup.exe 30 PID 2400 wrote to memory of 2688 2400 kav_setup.exe 30 PID 2400 wrote to memory of 2688 2400 kav_setup.exe 30 PID 2400 wrote to memory of 2688 2400 kav_setup.exe 30 PID 2400 wrote to memory of 2688 2400 kav_setup.exe 30 PID 2400 wrote to memory of 2392 2400 kav_setup.exe 31 PID 2400 wrote to memory of 2392 2400 kav_setup.exe 31 PID 2400 wrote to memory of 2392 2400 kav_setup.exe 31 PID 2400 wrote to memory of 2392 2400 kav_setup.exe 31 PID 2400 wrote to memory of 2392 2400 kav_setup.exe 31 PID 2400 wrote to memory of 2392 2400 kav_setup.exe 31 PID 2400 wrote to memory of 2392 2400 kav_setup.exe 31 PID 2784 wrote to memory of 2748 2784 kxetray.exe 33 PID 2784 wrote to memory of 2748 2784 kxetray.exe 33 PID 2784 wrote to memory of 2748 2784 kxetray.exe 33 PID 2784 wrote to memory of 2748 2784 kxetray.exe 33 PID 2784 wrote to memory of 2748 2784 kxetray.exe 33 PID 2784 wrote to memory of 2748 2784 kxetray.exe 33 PID 2784 wrote to memory of 2748 2784 kxetray.exe 33 PID 2784 wrote to memory of 2744 2784 kxetray.exe 37 PID 2784 wrote to memory of 2744 2784 kxetray.exe 37 PID 2784 wrote to memory of 2744 2784 kxetray.exe 37 PID 2784 wrote to memory of 2744 2784 kxetray.exe 37 PID 2784 wrote to memory of 2744 2784 kxetray.exe 37 PID 2784 wrote to memory of 2744 2784 kxetray.exe 37 PID 2784 wrote to memory of 2744 2784 kxetray.exe 37 PID 2784 wrote to memory of 620 2784 kxetray.exe 38 PID 2784 wrote to memory of 620 2784 kxetray.exe 38 PID 2784 wrote to memory of 620 2784 kxetray.exe 38 PID 2784 wrote to memory of 620 2784 kxetray.exe 38 PID 2784 wrote to memory of 620 2784 kxetray.exe 38 PID 2784 wrote to memory of 620 2784 kxetray.exe 38 PID 2784 wrote to memory of 620 2784 kxetray.exe 38 PID 2784 wrote to memory of 1132 2784 kxetray.exe 20 PID 620 wrote to memory of 2204 620 kislive.exe 40 PID 620 wrote to memory of 2204 620 kislive.exe 40 PID 620 wrote to memory of 2204 620 kislive.exe 40 PID 620 wrote to memory of 2204 620 kislive.exe 40 PID 620 wrote to memory of 2204 620 kislive.exe 40 PID 620 wrote to memory of 2204 620 kislive.exe 40 PID 620 wrote to memory of 2204 620 kislive.exe 40 PID 1108 wrote to memory of 2580 1108 kxescore.exe 41 PID 1108 wrote to memory of 2580 1108 kxescore.exe 41 PID 1108 wrote to memory of 2580 1108 kxescore.exe 41 PID 1108 wrote to memory of 2580 1108 kxescore.exe 41 PID 2784 wrote to memory of 1516 2784 kxetray.exe 42 PID 2784 wrote to memory of 1516 2784 kxetray.exe 42 PID 2784 wrote to memory of 1516 2784 kxetray.exe 42 PID 2784 wrote to memory of 1516 2784 kxetray.exe 42 PID 2784 wrote to memory of 1516 2784 kxetray.exe 42 PID 2784 wrote to memory of 1516 2784 kxetray.exe 42 PID 2784 wrote to memory of 1516 2784 kxetray.exe 42 PID 2784 wrote to memory of 1456 2784 kxetray.exe 43 PID 2784 wrote to memory of 1456 2784 kxetray.exe 43 PID 2784 wrote to memory of 1456 2784 kxetray.exe 43
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\kav_setup.exe"C:\Users\Admin\AppData\Local\Temp\kav_setup.exe"2⤵
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Registers COM server for autorun
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /kismain /autorun /kislive /devmgr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\vulfix.exe"vulfix.exe" -s4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2748
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe" /i /kavbootc4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2744
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe"kislive.exe" /autorun /std4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /GetConnectStatus5⤵
- Executes dropped EXE
PID:2204
-
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe" /i /kavbootc4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1516
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe"kislive.exe" /autorun /std /skipcs34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1456 -
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /GetConnectStatus5⤵
- Executes dropped EXE
PID:2932
-
-
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2688
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392
-
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kupdata.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kupdata.exe" -active 22⤵
- Executes dropped EXE
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c69ee16ff006c5981bacb6817df4d252
SHA1c1e8c876185d3f0da83083bfbd142eaa63f8b3ec
SHA2565779a454154d4c6797b53f8b923d13285fb34b1f6627f36911d598551f915d36
SHA5129bdc4a5bd420fca0a338326c7a784cee1f8cc9c23a54ac2380279e610e2958c8785501440bdd3a733ffbca5c66c623f7ea4a8e01bf1384422164928310ba0955
-
Filesize
4KB
MD5597e2bc9f8804854e9c49186f2fdb112
SHA1e95b5354a94f49ffb64b5fa5043833fb08d2efa5
SHA256aa27206484a1e4b050518e1386e980bf2f2a8ee26747c2ff6ef8609d14cc0b70
SHA51293c5824ed1d791d7dd7cdaa67d6e05dbf24cc4a264f2ca1ec76606620c56c135ece593064812b821f99de833ce907e90e494a9133ee9c8d5017dedd53e21adfd
-
Filesize
121KB
MD5d475d06de67a3a1d9ad9e632b4c1501c
SHA1f84a7a92cb33f45796a8ee34b9e9085ddbf7d8ab
SHA2562072ea283ba04c46e0a59d4dd641bc383bd3d6ce2c03812f2058df8c0f649d84
SHA5122c3b88acd082a0d184b0700a9dc10fc5d9f5d68ee065a9b6854b2895bc887e30cb936c9bcbabe50d56a750ff843cfb492a7a2f759fbf02b30b914e5a09a4c581
-
Filesize
19B
MD561d440a52785de703b772fac1afea40f
SHA1b2cdabe9323e26e2ba8ce23d6eb15f69b35b737e
SHA25693be62b02f5f8b883cb7b4ee7dc8dab9755fa6da74db186f661229f4a38617f9
SHA51214788e5a059e7254010cef2ba89ae452331516ba2abdb24b4d1877f9aa8b487ef2d94684ae1e56adabda1909d1102856fb1abe82bb9105bb890361b7f18f40b5
-
Filesize
148B
MD5d701a3b4a683d153f979e02ad0df6b6e
SHA1592b0923d809a717e0603efebfc823e5a7a33ecc
SHA2569c07f588b3241b1ce800bf6e5544c33ffe22e11a2dc13b57d950c40bcf23abea
SHA512ff4697337a619fc547f3a663a0180106ed8f24f8b97aee959f952c15b87ced185d7b108054d13ff551085244de79ecda731883f8fc1999a48d195850831193e6
-
Filesize
188B
MD5feae6cd4bfc8d7cdd7be24e72bcd6871
SHA16a9a6b7ed10555714e9d27797dcbbdc8b34e118b
SHA256b33bf5eabef366b273e4d110fbafaa8f11f5f08179215696362ea8f04117c0d1
SHA512804284d42dfdd4d54f3f72dc94ebca8e2f0c6c169176e642ef32b37afd57270e1274555eea238c06b0a568b1b0bc80ac4752e21e694d84eb6c073b33cb522501
-
Filesize
205B
MD51354e832704c215230b416da1140edc0
SHA19af86c6a1e283cf2f23c38970bbe9c81a9824ca3
SHA256259c4afc2d6091a8341260fb20b6a654ecf1492ffa41dbe3147ceb1a48bb3982
SHA51274f8ba050adcc6062ba27ebec5e1e836ec586bbf2b40db9dec73d4912f539ebea796d9d0ad7fbfc88503eb50a72ade3efa8a417dc61f4dfe2a62373e2b5e8015
-
Filesize
216B
MD54c27f121c37c75431a60cbd983378174
SHA1c87de6f820f18131788932648fd0c70444a800e5
SHA2561a624a7a2523a7f7db8bbc17da2496b2e01321926fd2c9778234ca4928ec760a
SHA51278b5861503b7a3ba0989882fcd0204372f6b048160c50e2dc7bfa3e987a084405e5f696c3bf00d719fec3a5bf42d5dced4b090d4d5a4a8d534f5970a88490a6c
-
Filesize
270B
MD597db452da73ddc9a1119c04caf16759c
SHA1015660ee9b4961dadd2695310739b2608ed8796f
SHA256244e7138a0d5941f981ac5b133e0cec76685fe1734b9bd56775cee49a6b78b68
SHA512ae6431b982c829a721e8372f6a4d8300ba2390a303a2efa37e5a7814c8a81e406375bbd80b203ac7dd6286fe7cc0e7f412eb5ecf5a4c6ede3b5c86084177af2a
-
Filesize
53B
MD57a64c5f693a1668652b67f55a2150d3f
SHA1f826c4d50f5cca0ed9513296f1859c0cb5fbd990
SHA256958fd78c72573eb40fe9df54866297762a15860867c1c99c758fb810565c2557
SHA512ad1a8b8264b4a43aca6bf85c23756d2131cc631ddab875497d56de09d8c01d5b3e10ec1e10c274a90487780fdfa7a61758371bbd6be9b68766d4d999b401cdc8
-
Filesize
256KB
MD547d8dd713a9e27bda9ede09a5b9f2fd8
SHA114b667c96eec8ef8d9ef2404b6ce6ef22b70f843
SHA256722586f2ead7f8e14bbc95e5f84a069255a3c21449daa03109ff81c6bae96365
SHA5120d37217f4a384d2e9ba876029f50ead9a01dc6d629de5482d2527e14881e836aef8ad53f677147c5a946964697bcf1826784bcb967bed29618cf1e3ee847f089
-
Filesize
2KB
MD59687b68a6b80863b30d292be915f7fff
SHA16aba983bad295daa7df2e43d9d29c707ce743759
SHA25640b8afdfe309edbc81440e8bff733bc4f27d1213a9f421f1031982a85e26c35c
SHA512cc6232d099a20c24f7a62e296be4856318cbc43658c2bd62668fa4d013757f80d3fe41b06fe1c7d68b4c983948da485c98dd266a2d9758c070c8a04c42a99b98
-
Filesize
4KB
MD59185813a2482722834703f032c199761
SHA1658f4400f0d1529fe87bb25fc003be74f04853e8
SHA2569794516deec91587d9204ba3089c0fe5b124efc822b98191f7e3f183d4e6e741
SHA5126a3a0246ffec10cf3c44ff67863c34f39b80dd3a5fc7eed1b572d9db64ecb7c1626cc83355d0e4d582b1fe4dd5f59cca056bf3cdac4419919d563863b321cfba
-
Filesize
2KB
MD53fd801d9ee0f5aff63cfdb0931b62ced
SHA177bb039b51457c3637f8e15fc54928fc05db3227
SHA2565e8df1266ffe9aa601a87f4d9e22e1f00d8c77d38e9e2715e7ab20ba95722eee
SHA51265854eec7ec4eb4e9efe1a115e6c6c5c23111f773c61da772c1764f635b669ca835035750a24198f79fa078034828b6af846a8b54e79507b07d86ed411ee7cc0
-
Filesize
24KB
MD558b50191b75819aadc511eddc679a2ab
SHA1db2acc1e8ca3e6706b47d748f98a067d20545a41
SHA25600147bd5c934f138ccb765f9498f0080a934342aaefd0c5a2e04dc77cf1ddc64
SHA5123bd33eb558324a5c54c54f44065631fb9622d3c3f23961a3d608d92e9dd7411487598af3b555ba7dd753c92eb161a9fcebb32b8627e3aa52a0521f0f58c6e6b5
-
Filesize
73KB
MD54fe9c6c088b3a46091feaf7032b714ed
SHA1369c7e7e64bd4031b9609ae1689c02706e15aef4
SHA256e5b80cbc0fa8f2eceda40274b17a65895aff36c8d3e06b597614942520ff227c
SHA51237915dcd173516e8ed63ff0d4d197fda977a6fdf2de33b3b61ed304110c82cec4a3bd2a0d724fed9b75fdc3faabb5f8a64749aba40bc57450373b445989f8368
-
Filesize
77KB
MD5cfb9287c25d708358d90470dc198bbf2
SHA18d99526b7b4391cafa9ee8b51b3095cb81937408
SHA256d233143a9cac3735e04968fb988904ed897afe6ce5d922e188b17b92bdbc70f6
SHA512c9442f71c729e6c5057f220122d38e5bf874a80a3c080457de76ff4b323ecd835839584ffd3bd0bf2f1d09cfaf10083a6b22967012cc15157d765e412e0a76fe
-
Filesize
506KB
MD5f364af8667277440e38755fa860d2e0b
SHA138c4f51274d35e9aaea1a34d19861463dc6443dc
SHA25625c7dfcaa366ab1d007c6bfb57fb947c66aa200b21060710c709111ea01eba36
SHA512482b7b275c799e4fe6e244613751cd9377e590da5512f00a6b8a6c176ff62f8091c90a97ef1464f83bc0071d2731eb4dcc2aec7f842cdd7faa1645cf998441ae
-
Filesize
43KB
MD5064023864f9c5acf71499bdbc555fc73
SHA180dfcb9895c6de95c4b7124511ea2db5d0f47937
SHA2569c94bc6fb33382197f06e7163590d2e96ada7fa4455388cbeb39843c479b62ac
SHA5120c3b59b2db2565ad883ef91f234a78a00d4d9dc2bb6ec10f3d3774717f101f3b9adb36e3a0aacb51909e50aa885e43f2263dd002a3a63ce9c7643ab1f99463e4
-
Filesize
1.6MB
MD59e93bfe6a01354a5df4af3f98b382ed0
SHA1a81a1df05e435e94cd12a2fa48f2a3ad528123bc
SHA256c71cdba6b7f54e6e5ac93d403bb77387b6e5c4cc68f2170fc07cce92019b40d2
SHA512f966164884b9780eb73ccf87f0d84200d757d1a15f998d777987a631a74d1859daaaf3cb872014cb78576f2a701fc6c06202e1e4170c1ae0d0e302ec4a2a3e50
-
Filesize
43KB
MD5fc10870e24686571bff60d0f72c5d3e8
SHA162649126e6edd920cf001801b6446430e6ba5288
SHA256caf1770d5e745d3be1584818e97b56c2e271016881478bbfb1ab6f66e7bab6c0
SHA51292a9a5162c3a01721a0097c643ae88ff211a7099cba2e9ebf22bc6e30680a78aa65c1c98277a9329539994d1a9eb482bb15c245704daceb3b3fef56a366c4bfc
-
Filesize
129KB
MD528bfd2d3a1da7666dc4d9c711ec5307d
SHA18c615199b3c86a31cf7657720b80b0f3cdc92de3
SHA256645300f84c647128cfea9a2243efec873d8a16b545af46b8f8e04ca8fda77834
SHA5125af1951e4ea9364535e795176988e718fbd409ac42302abba378b9f82d3610f2ffd5c1d879ef38e9f437d97b871964daadc3f6c45d571ea513608e20aed3a2cc
-
Filesize
367KB
MD540888ea63bb6f1bbbed49b719e9d2523
SHA1a8bae5c78d6d8f6fa916820a6e5e2531fb63ebbb
SHA256777c8589a3c08bb0b100b108e807ebc2423584a3599b088e8d228990bbdbced0
SHA5121f51b621d0de9c9acac7b2436642ce47b3ef907222762b1efc1bd5210367c4eb59c8b14904b4d1feb3e75982a637b3c73754e329494cc020db8d47abf45d43c0
-
Filesize
537KB
MD5207ef482bf6f4aa89e2614b34bc475c7
SHA1caeb1519bb6abffd30625eb5c184432af4163bf3
SHA2569b8ad44d98b258204332e61768c5a68d2396e2b23f786040d39aa2fb31eac191
SHA512ab6cc36fe9a61e08157c1b374058274af3e2b929f34e45bff2daab4931385986cc582917b4cf06b05f1ae4527bb93b039eaf971669b9a0b71d8deb6c73945f37
-
Filesize
163KB
MD5264085d017ed1fbbe3c6f9f415b7a014
SHA1c785016f5f071e2c130ffcb60944133f607d1cc7
SHA256dc33b0762e1bca6fd662621fb73624c0611f5238310afbeae4d3040bb7c142b6
SHA512e6418f523941f29f8f8fed74eb02820159036ead92a449cf19f96f668cb51c63fd2820bf5beaad8f223e6396abca7ff3d21962fc1c01efcb2208bce55bcea400
-
Filesize
1.2MB
MD5115fb928e556ba9f16aa8ecd99cdecfb
SHA1da7845bf346a7fa5a04adc06ee5d4e9b45dfe3ef
SHA256f1c2dc88693b93d2486294aba60192059c69dda52e8caf8d11755e0b788582f6
SHA512e40eae69f0485f083bbfcc6e2de767b917e9b10ccd0331347f43e29ab95f74903799f19209022df288cab5481735b5471c6c978154dd08c1dfa2a2a8559f8074
-
Filesize
1.9MB
MD5a4e9fa8912f6f8ec40e95f9e1965eced
SHA1bb41d0c0edd37d9c47adc72fc3e776d462c7e458
SHA256a55ebc92af0ff7814c60db7169c9adcf9f07d7be496acef843c06ae1f2e0ed9b
SHA512a5fda075d1475272bfba081221d48c9a146b3f2141184259d53828bc5b4bbffa1cc449063f8c58f520d111ed085c19e4643f3677d097665f610078df05bc2d70
-
Filesize
61KB
MD5e05a31340db26e45f6b6bbd0c61f69e0
SHA134985e0ec7d8d3e716d64f80c2a144e9ac462559
SHA2565a7fbf9f705c00e1a5c03c744cc3883f86e7782ea306151d83dc9fa9e4d26e3e
SHA512ba9be655d71d45dcebf23dd27bf468b495357a6dd43781fb4c4631e49543405fbc71912761032f564dc6785fb5bd5d02e55da86393818707864eb9370908253e
-
Filesize
77KB
MD5b4fb0f8f1c7d3330554f14be58489c74
SHA176fae438cf030f16a4ded71fab66052bfb1c3ea3
SHA256ab70cfe51c12f2c96ea13d09a15e9ed3ee64c2fec21a9bb162542e6ea7c313fb
SHA51252c0b5f8acb0f78901ba5e7a30d74d10c2ae11665f434cd78adfa38844f745d328165a0f6bd0325c4d96a8e44736592db47ce21817f9be43101748e79abc577d
-
Filesize
167KB
MD503fd3dcd6676c9054d28dd5ffd4dc7e3
SHA1b9e51dd1d697cb7da3aa34fb71a2c3e8675d0521
SHA256cac414a5ff64137515b461f274d216170461e61c4624c1a47e7b9ce97c99ece2
SHA5125a2025dbdc86dad8043d94fd9e1798dc5a988bcca2ba709c2e6f848d466f156b2695945221fbe0fe377019216864e978b0ad9c3e62a29b704b42d7a3b6287f07
-
Filesize
41KB
MD5029648eff830ecdbd28967afc670ad9b
SHA1e4e7f5bd3b3f692832167e2df947a8036ae56563
SHA256d8ec082f677b68011c22327fa9fd63d1bf310ecce448d2db9f1335bcf4396f34
SHA5127606db9d12a24ce119a83d3ae53eec28feddf8d196dc93bcebfcde53f55c01578e9c0b15200220d9420e753daaee295a23758c03ffb90b3489af3deeb3528ea3
-
Filesize
1.5MB
MD54f11e95ca5577d3f5863c2ea0d0cc791
SHA1e604333b4e33dc1141b2dd0bcd681eb2fd932ae8
SHA25690fca2152d9b5a9cab5b4fceb9756ef6ecb52db27c80995c0d3f303f04132916
SHA512fad04eb8c078be1d41ad463436464876f479bb1afdb64be00356d1a3329c524e65b19a5b5e4f6814d0b12e5a77d4495b0c13eaf15575f0aec53b83342e0c1f74
-
Filesize
536KB
MD54c8a880eabc0b4d462cc4b2472116ea1
SHA1d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA2562026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA5126a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c
-
Filesize
612KB
MD5e4fece18310e23b1d8fee993e35e7a6f
SHA19fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA25602bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA5122fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc
-
Filesize
69KB
MD55433130b0379ea87682af93d269149ff
SHA1a6fbd1a4d11d0a206fc9fe3630767685c4a36389
SHA25634a5de00c7316371fe43d4e0243f5d60695ca39b0f1641c028497887bfbc4f23
SHA512ac682e8713c4d03853ee2dd03c4d77a980588710719543a2c699c3cc58315282a18384411401e775ea605f452662ccbeebdd8743cae162caee6d223b600edd26
-
Filesize
26KB
MD5a16b3c62473f0eb6b25d3fe01d94d20a
SHA1574228836ef2bd07d128108ee2cbb372cbf7a4a8
SHA256e115909cb4707f1895e69ef9e608ff8ee10fead21ac1c6c7b3148fc998e2355d
SHA512a07bd7312bda0062b5e45d84b3494a3912a014ae4c50e69f57895f5625c14498bd38104087020b51f745be3ff2a86bb0c27313c6dbb8969765ffe28225ca3fb6
-
Filesize
160KB
MD579af9b1395d7b69a51b59776327545b6
SHA17e101f2c940e6ba5071878ce0a359a5858f0111d
SHA25642113b965bc9822662f7892a252fd52c60e9041c6367e1ba75c982246f3d2b0b
SHA5123f7827e591494eb53fb6920f2b5e6e393a6fa043015fb24169f0c7bc96f1f277a725fb1371f3b9b3f06c9a1522c647a9b6c29db5254eabed657ee587adb5c4d2
-
Filesize
731KB
MD541fb03cd0646e1be3672da65d0d5a474
SHA17dda592171548923c641cbad6dd1383ee0348ba5
SHA256f8539aaacf385b686a778209fb895e1fcba22ef92e1cf50908b51622188709d6
SHA512378131198fc7ce422036fb46df81a23eddcfb67ae7be4dbe5a3f6396e9cd98cdecc9469fe6d92f0fac59aa709981da9643a7d71ebfef07a1e93d48807daac9c0
-
Filesize
796KB
MD59ae063f8aa5a6bb1d87c1182d08d4fe1
SHA15e77d46d1188a1d269bc9bcf46e0e5a5c98b328e
SHA25698ab3fb14861a51f723f8aa8f44f8e22adf37f7cee38f6365322146c30bbeb9b
SHA51216183326f5ce0b7adbf7abed145dee3c8e2f34baf29e5d81efe3f7c0f0d75d393cec64cd086ef1d1b466b4aa7b874922760e1d737bf4a7792f2575cb2feda37a
-
Filesize
330KB
MD575c35484cba214fb64119839e78f12db
SHA11ed33936d834887a2c9d44d0a4643c67c303aa70
SHA25615d501b40268a0d4dcb5e8726fd61a6aa406063c89c4f3be54732ba4caef85b1
SHA5129c0551914f4f981d468ec2a78d68de1f7580d8c7fddcadd1facaa2ecbf1d55e4a90ef4eff5333bc55cbfa0941de6143c5ce980c4d126f37f5864ffab04fba5c4
-
Filesize
1.7MB
MD5915c8fc1b7a698179bbd5d58c71812db
SHA1e6222a75a6620fb7ec750e3647e824db1f3ff002
SHA256d3c3c7dbef3c4e417da49038a30f8647e7642b2da93ef1fd2a1888420caa2e22
SHA512efced57c43be65fe50cbef5d4d44e82a505bbcf93e18f46be146268c34a22602179794801ef4eea5e9cac00d653b238c5dfb5d41bb7c7f1977c5254698499621