Analysis Overview
SHA256
bdf40bbc008ab151db86ace1b8c2385b8eed742031db4277c4f29ce164995294
Threat Level: Likely malicious
The file kav_setup.exe was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Drops file in Drivers directory
Sets file execution options in registry
UPX packed file
Loads dropped DLL
Executes dropped EXE
Registers COM server for autorun
Enumerates connected drives
Drops desktop.ini file(s)
Adds Run key to start application
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 02:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 02:42
Reported
2024-05-09 02:50
Platform
win7-20240508-en
Max time kernel
452s
Max time network
417s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\ksapi.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\kusbquery.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\kusbquery64.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\kdhacker.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\ksskrpr.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\kavbootc64.sys | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\kisknl.sys | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| File created | C:\Windows\system32\drivers\kavbootc64.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\kisknl.sys | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| File created | C:\Windows\system32\drivers\bc.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\kavbootc.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\kisknl.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\kisknl64.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | C:\Windows\system32\drivers\kdhacker64.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\kavbootc64.sys | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KDHacker\ImagePath = "\\??\\c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\security\\kxescan\\kdhacker64.sys" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\desktop.ini | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\KAVEventLog.EVT | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kscanner.dll | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseset.ktp | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kws_init.log | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\khackwall\1004.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\530.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\44.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\238.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\lpolicy.dat | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kdefendpop\31019.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\20027.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\155.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.ini | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\77.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\uninst\105.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\105.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\100.bmp | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kxeutilcfg.ini | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.ini | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksreng3.dll.log | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\89.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\60509.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\103.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\khandler.dat | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.dll | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kws\icon\commentbt.gif | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\122.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\85.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ifrcfg.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscanner.dll.log | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kupdata.exe | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\88.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\59.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\132.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\vinfo.ini | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopsvr.dll | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswbc.dll | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\scom.dll | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kws\icon\kwsupicon1.gif | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\137.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\154.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisdcom.dll | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\camera.krf | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\unknown.fsg | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\defendmon.dll | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\defendmon\20026.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\116.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\121.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\39.bmp | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kusbquery64.sys | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\khackwall\20000.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\104.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kpopsvr\60001.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\4.bmp | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\75.bmp | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\bkrsdb.dat | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\defendmon\113.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\khackwall\100.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kismaindll\1030.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\313.png | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\110.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kswscx\115.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\kxetray\125.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\vulfix\153.xml | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| File created | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\enu\bk\defendmon\20116.bmp | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WindowsUpdate.log | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\vulfix.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7 | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe\ext = "1" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kxescore.exe | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1172D735-4377-458d-B1BA-075ED5DC08BC} | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.dubaskin\ = "dubaskinfile" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "145e4953120df8a3577846ff3d514a7c" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.dubaskin | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "145e4953120df8a3577846ff3d514a7c" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell\open | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4} | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\DefaultIcon\ = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\data\\skin\\dubaskin.ico\"" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69515E2E-C4E5-4c55-BF5F-7E7C59EA2158} | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell\open\command | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kxescore.exe\config = "1" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\shell\open\command\ = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kismain.exe\" /skin:\"%1\"" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe\file = "1" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A33E1526-778A-4ddc-95E5-6EB0513611C4}\kscan.exe\config = "1" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dubaskinfile\DefaultIcon | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0" | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\kav_setup.exe
"C:\Users\Admin\AppData\Local\Temp\kav_setup.exe"
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /kismain /autorun /kislive /devmgr
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescore
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\vulfix.exe
"vulfix.exe" -s
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescore
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe" /i /kavbootc
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
"kislive.exe" /autorun /std
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /GetConnectStatus
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe"
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe" /i /kavbootc
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe
"kislive.exe" /autorun /std /skipcs3
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /GetConnectStatus
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kupdata.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kupdata.exe" -active 2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.40:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | softdl.pcdoctor.kingsoft.com | udp |
| US | 8.8.8.8:53 | cloud-q.kingsoft.jp | udp |
| US | 8.8.8.8:53 | kns.duba.net | udp |
| JP | 122.209.126.122:80 | tcp | |
| US | 8.8.8.8:53 | cv.duba.net | udp |
| CN | 110.43.89.23:80 | kns.duba.net | tcp |
| CN | 218.12.76.172:80 | cv.duba.net | tcp |
| US | 8.8.8.8:53 | infoc2.duba.net | udp |
| CN | 139.9.36.107:80 | infoc2.duba.net | tcp |
| US | 8.8.8.8:53 | download.duba.net | udp |
| US | 8.8.8.8:53 | b.api.pc120.com | udp |
| CN | 120.92.75.25:80 | b.api.pc120.com | tcp |
| CN | 221.194.141.154:80 | download.duba.net | tcp |
| CN | 120.52.95.237:80 | cv.duba.net | tcp |
| US | 8.8.8.8:53 | up.pcdoctor.kingsoft.com | udp |
| US | 8.8.8.8:53 | up.pcdoctor.kingsoft.com | udp |
| US | 8.8.8.8:53 | cloud-api.duba.net | udp |
| US | 8.8.8.8:53 | cu003.www.duba.net | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| CN | 218.60.21.6:80 | cu003.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 1.193.210.6:80 | cu003.www.duba.net | tcp |
| CN | 175.6.254.65:80 | cu003.www.duba.net | tcp |
| US | 8.8.8.8:53 | cu004.www.duba.net | udp |
| CN | 121.14.11.21:8080 | tcp | |
| CN | 119.96.253.1:80 | cu003.www.duba.net | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| CN | 1.194.227.129:80 | cu003.www.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 113.16.211.3:80 | cu003.www.duba.net | tcp |
| CN | 42.56.77.1:80 | cu003.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 183.61.168.1:80 | cu003.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 110.43.89.23:80 | kns.duba.net | tcp |
| US | 8.8.8.8:53 | cloud-q.duba.net | udp |
| CN | 183.61.243.1:80 | cu003.www.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| US | 8.8.8.8:53 | update.kingsoft.jp | udp |
| US | 104.22.55.83:80 | update.kingsoft.jp | tcp |
| CN | 218.60.21.6:80 | cu003.www.duba.net | tcp |
| CN | 1.193.210.6:80 | cu003.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| US | 8.8.8.8:53 | f-signs.kingsoft.jp | udp |
| JP | 35.77.86.110:8091 | f-signs.kingsoft.jp | tcp |
| CN | 175.6.254.65:80 | cu003.www.duba.net | tcp |
| CN | 119.96.253.1:80 | cu003.www.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 1.194.227.129:80 | cu003.www.duba.net | tcp |
| US | 8.8.8.8:53 | up.pcdoctor.kingsoft.com | udp |
| US | 8.8.8.8:53 | up.pcdoctor.kingsoft.com | udp |
| CN | 113.16.211.3:80 | cu003.www.duba.net | tcp |
| CN | 218.60.21.6:80 | cu003.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 42.56.77.1:80 | cu003.www.duba.net | tcp |
| US | 8.8.8.8:53 | www.sohu.com | udp |
| CN | 183.61.168.1:80 | cu003.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 183.61.243.1:80 | cu003.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 110.43.89.23:80 | kns.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| JP | 35.77.86.110:8091 | f-signs.kingsoft.jp | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 110.43.89.23:80 | kns.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| US | 8.8.8.8:53 | www.pc120.com | udp |
| CN | 123.207.123.226:80 | www.pc120.com | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| US | 8.8.8.8:53 | fsigns.duba.net | udp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| US | 8.8.8.8:53 | ifr.duba.net | udp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| US | 8.8.8.8:53 | cloud-q.duba.net | udp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 120.92.32.253:80 | cloud-q.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 1.193.210.6:80 | cu003.www.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 175.6.254.65:80 | cu003.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 119.96.253.1:80 | cu003.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 1.194.227.129:80 | cu003.www.duba.net | tcp |
| CN | 113.16.211.3:80 | cu003.www.duba.net | tcp |
| CN | 42.56.77.1:80 | cu003.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 183.61.168.1:80 | cu003.www.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 183.61.243.1:80 | cu003.www.duba.net | tcp |
| US | 8.8.8.8:53 | cu004.www.duba.net | udp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| JP | 35.77.86.110:8091 | f-signs.kingsoft.jp | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| JP | 35.77.86.110:8091 | f-signs.kingsoft.jp | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 104.22.55.83:80 | update.kingsoft.jp | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| JP | 35.77.86.110:8091 | f-signs.kingsoft.jp | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| US | 8.8.8.8:53 | infoc2.duba.net | udp |
| CN | 139.9.46.163:80 | infoc2.duba.net | tcp |
| CN | 124.71.209.131:80 | infoc2.duba.net | tcp |
| CN | 139.9.36.171:80 | infoc2.duba.net | tcp |
| CN | 139.9.39.206:80 | infoc2.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| CN | 139.9.43.15:80 | infoc2.duba.net | tcp |
| JP | 122.209.126.122:80 | tcp | |
| CN | 139.9.45.223:80 | infoc2.duba.net | tcp |
| JP | 35.77.86.110:8091 | f-signs.kingsoft.jp | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
| CN | 221.194.141.155:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.156:80 | cu004.www.duba.net | tcp |
| CN | 218.12.76.159:80 | cu004.www.duba.net | tcp |
| CN | 221.194.141.154:80 | cu004.www.duba.net | tcp |
| CN | 61.184.10.39:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.34:80 | fsigns.duba.net | tcp |
| CN | 61.184.10.38:80 | fsigns.duba.net | tcp |
Files
memory/2400-0-0x0000000000400000-0x0000000000515000-memory.dmp
memory/2400-1-0x0000000000AE0000-0x0000000000BF5000-memory.dmp
memory/2400-2-0x0000000000AE0000-0x0000000000BF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kantivirus\~f762980\install_res\kurldef.ini
| MD5 | 58b50191b75819aadc511eddc679a2ab |
| SHA1 | db2acc1e8ca3e6706b47d748f98a067d20545a41 |
| SHA256 | 00147bd5c934f138ccb765f9498f0080a934342aaefd0c5a2e04dc77cf1ddc64 |
| SHA512 | 3bd33eb558324a5c54c54f44065631fb9622d3c3f23961a3d608d92e9dd7411487598af3b555ba7dd753c92eb161a9fcebb32b8627e3aa52a0521f0f58c6e6b5 |
C:\Users\Admin\AppData\Local\Temp\kantivirus\kavsetup.log
| MD5 | 9687b68a6b80863b30d292be915f7fff |
| SHA1 | 6aba983bad295daa7df2e43d9d29c707ce743759 |
| SHA256 | 40b8afdfe309edbc81440e8bff733bc4f27d1213a9f421f1031982a85e26c35c |
| SHA512 | cc6232d099a20c24f7a62e296be4856318cbc43658c2bd62668fa4d013757f80d3fe41b06fe1c7d68b4c983948da485c98dd266a2d9758c070c8a04c42a99b98 |
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sys
| MD5 | a16b3c62473f0eb6b25d3fe01d94d20a |
| SHA1 | 574228836ef2bd07d128108ee2cbb372cbf7a4a8 |
| SHA256 | e115909cb4707f1895e69ef9e608ff8ee10fead21ac1c6c7b3148fc998e2355d |
| SHA512 | a07bd7312bda0062b5e45d84b3494a3912a014ae4c50e69f57895f5625c14498bd38104087020b51f745be3ff2a86bb0c27313c6dbb8969765ffe28225ca3fb6 |
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
| MD5 | 79af9b1395d7b69a51b59776327545b6 |
| SHA1 | 7e101f2c940e6ba5071878ce0a359a5858f0111d |
| SHA256 | 42113b965bc9822662f7892a252fd52c60e9041c6367e1ba75c982246f3d2b0b |
| SHA512 | 3f7827e591494eb53fb6920f2b5e6e393a6fa043015fb24169f0c7bc96f1f277a725fb1371f3b9b3f06c9a1522c647a9b6c29db5254eabed657ee587adb5c4d2 |
memory/2400-80-0x0000000004BB0000-0x0000000004BE8000-memory.dmp
memory/2400-79-0x0000000004BB0000-0x0000000004BBA000-memory.dmp
memory/2400-78-0x0000000004BB0000-0x0000000004BBA000-memory.dmp
memory/2400-77-0x0000000000400000-0x0000000000515000-memory.dmp
memory/2400-82-0x0000000004BB0000-0x0000000004BE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kantivirus\kavsetup.log
| MD5 | 9185813a2482722834703f032c199761 |
| SHA1 | 658f4400f0d1529fe87bb25fc003be74f04853e8 |
| SHA256 | 9794516deec91587d9204ba3089c0fe5b124efc822b98191f7e3f183d4e6e741 |
| SHA512 | 6a3a0246ffec10cf3c44ff67863c34f39b80dd3a5fc7eed1b572d9db64ecb7c1626cc83355d0e4d582b1fe4dd5f59cca056bf3cdac4419919d563863b321cfba |
\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
| MD5 | 064023864f9c5acf71499bdbc555fc73 |
| SHA1 | 80dfcb9895c6de95c4b7124511ea2db5d0f47937 |
| SHA256 | 9c94bc6fb33382197f06e7163590d2e96ada7fa4455388cbeb39843c479b62ac |
| SHA512 | 0c3b59b2db2565ad883ef91f234a78a00d4d9dc2bb6ec10f3d3774717f101f3b9adb36e3a0aacb51909e50aa885e43f2263dd002a3a63ce9c7643ab1f99463e4 |
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
| MD5 | fc10870e24686571bff60d0f72c5d3e8 |
| SHA1 | 62649126e6edd920cf001801b6446430e6ba5288 |
| SHA256 | caf1770d5e745d3be1584818e97b56c2e271016881478bbfb1ab6f66e7bab6c0 |
| SHA512 | 92a9a5162c3a01721a0097c643ae88ff211a7099cba2e9ebf22bc6e30680a78aa65c1c98277a9329539994d1a9eb482bb15c245704daceb3b3fef56a366c4bfc |
\Program Files (x86)\kingsoft\kingsoft antivirus\uninst.exe
| MD5 | 75c35484cba214fb64119839e78f12db |
| SHA1 | 1ed33936d834887a2c9d44d0a4643c67c303aa70 |
| SHA256 | 15d501b40268a0d4dcb5e8726fd61a6aa406063c89c4f3be54732ba4caef85b1 |
| SHA512 | 9c0551914f4f981d468ec2a78d68de1f7580d8c7fddcadd1facaa2ecbf1d55e4a90ef4eff5333bc55cbfa0941de6143c5ce980c4d126f37f5864ffab04fba5c4 |
\Program Files (x86)\kingsoft\kingsoft antivirus\krecycle.exe
| MD5 | 40888ea63bb6f1bbbed49b719e9d2523 |
| SHA1 | a8bae5c78d6d8f6fa916820a6e5e2531fb63ebbb |
| SHA256 | 777c8589a3c08bb0b100b108e807ebc2423584a3599b088e8d228990bbdbced0 |
| SHA512 | 1f51b621d0de9c9acac7b2436642ce47b3ef907222762b1efc1bd5210367c4eb59c8b14904b4d1feb3e75982a637b3c73754e329494cc020db8d47abf45d43c0 |
\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
| MD5 | f364af8667277440e38755fa860d2e0b |
| SHA1 | 38c4f51274d35e9aaea1a34d19861463dc6443dc |
| SHA256 | 25c7dfcaa366ab1d007c6bfb57fb947c66aa200b21060710c709111ea01eba36 |
| SHA512 | 482b7b275c799e4fe6e244613751cd9377e590da5512f00a6b8a6c176ff62f8091c90a97ef1464f83bc0071d2731eb4dcc2aec7f842cdd7faa1645cf998441ae |
\Program Files (x86)\kingsoft\kingsoft antivirus\kxetray.exe
| MD5 | 4f11e95ca5577d3f5863c2ea0d0cc791 |
| SHA1 | e604333b4e33dc1141b2dd0bcd681eb2fd932ae8 |
| SHA256 | 90fca2152d9b5a9cab5b4fceb9756ef6ecb52db27c80995c0d3f303f04132916 |
| SHA512 | fad04eb8c078be1d41ad463436464876f479bb1afdb64be00356d1a3329c524e65b19a5b5e4f6814d0b12e5a77d4495b0c13eaf15575f0aec53b83342e0c1f74 |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
| MD5 | d475d06de67a3a1d9ad9e632b4c1501c |
| SHA1 | f84a7a92cb33f45796a8ee34b9e9085ddbf7d8ab |
| SHA256 | 2072ea283ba04c46e0a59d4dd641bc383bd3d6ce2c03812f2058df8c0f649d84 |
| SHA512 | 2c3b88acd082a0d184b0700a9dc10fc5d9f5d68ee065a9b6854b2895bc887e30cb936c9bcbabe50d56a750ff843cfb492a7a2f759fbf02b30b914e5a09a4c581 |
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll
| MD5 | e4fece18310e23b1d8fee993e35e7a6f |
| SHA1 | 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564 |
| SHA256 | 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9 |
| SHA512 | 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc |
\Program Files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll
| MD5 | 4c8a880eabc0b4d462cc4b2472116ea1 |
| SHA1 | d0a27f553c0fe0e507c7df079485b601d5b592e6 |
| SHA256 | 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08 |
| SHA512 | 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c |
\Program Files (x86)\kingsoft\kingsoft antivirus\vulfix.exe
| MD5 | 915c8fc1b7a698179bbd5d58c71812db |
| SHA1 | e6222a75a6620fb7ec750e3647e824db1f3ff002 |
| SHA256 | d3c3c7dbef3c4e417da49038a30f8647e7642b2da93ef1fd2a1888420caa2e22 |
| SHA512 | efced57c43be65fe50cbef5d4d44e82a505bbcf93e18f46be146268c34a22602179794801ef4eea5e9cac00d653b238c5dfb5d41bb7c7f1977c5254698499621 |
memory/1108-238-0x0000000000140000-0x0000000000169000-memory.dmp
memory/1108-259-0x0000000005620000-0x0000000005811000-memory.dmp
memory/2748-267-0x0000000000B70000-0x0000000000BFA000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\ksafevul.dll
| MD5 | 207ef482bf6f4aa89e2614b34bc475c7 |
| SHA1 | caeb1519bb6abffd30625eb5c184432af4163bf3 |
| SHA256 | 9b8ad44d98b258204332e61768c5a68d2396e2b23f786040d39aa2fb31eac191 |
| SHA512 | ab6cc36fe9a61e08157c1b374058274af3e2b929f34e45bff2daab4931385986cc582917b4cf06b05f1ae4527bb93b039eaf971669b9a0b71d8deb6c73945f37 |
memory/2748-264-0x00000000005D0000-0x00000000005F1000-memory.dmp
memory/1108-274-0x0000000000560000-0x0000000000572000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksinst.dll
| MD5 | 41fb03cd0646e1be3672da65d0d5a474 |
| SHA1 | 7dda592171548923c641cbad6dd1383ee0348ba5 |
| SHA256 | f8539aaacf385b686a778209fb895e1fcba22ef92e1cf50908b51622188709d6 |
| SHA512 | 378131198fc7ce422036fb46df81a23eddcfb67ae7be4dbe5a3f6396e9cd98cdecc9469fe6d92f0fac59aa709981da9643a7d71ebfef07a1e93d48807daac9c0 |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseset.dat
| MD5 | d701a3b4a683d153f979e02ad0df6b6e |
| SHA1 | 592b0923d809a717e0603efebfc823e5a7a33ecc |
| SHA256 | 9c07f588b3241b1ce800bf6e5544c33ffe22e11a2dc13b57d950c40bcf23abea |
| SHA512 | ff4697337a619fc547f3a663a0180106ed8f24f8b97aee959f952c15b87ced185d7b108054d13ff551085244de79ecda731883f8fc1999a48d195850831193e6 |
C:\ProgramData\kingsoft\kis\hg.dat
| MD5 | 7a64c5f693a1668652b67f55a2150d3f |
| SHA1 | f826c4d50f5cca0ed9513296f1859c0cb5fbd990 |
| SHA256 | 958fd78c72573eb40fe9df54866297762a15860867c1c99c758fb810565c2557 |
| SHA512 | ad1a8b8264b4a43aca6bf85c23756d2131cc631ddab875497d56de09d8c01d5b3e10ec1e10c274a90487780fdfa7a61758371bbd6be9b68766d4d999b401cdc8 |
memory/1108-302-0x0000000005ED0000-0x0000000005F33000-memory.dmp
memory/1108-299-0x0000000004720000-0x0000000004776000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kxesansp.dll
| MD5 | 9ae063f8aa5a6bb1d87c1182d08d4fe1 |
| SHA1 | 5e77d46d1188a1d269bc9bcf46e0e5a5c98b328e |
| SHA256 | 98ab3fb14861a51f723f8aa8f44f8e22adf37f7cee38f6365322146c30bbeb9b |
| SHA512 | 16183326f5ce0b7adbf7abed145dee3c8e2f34baf29e5d81efe3f7c0f0d75d393cec64cd086ef1d1b466b4aa7b874922760e1d737bf4a7792f2575cb2feda37a |
\Program Files (x86)\kingsoft\kingsoft antivirus\jsonv6.dll
| MD5 | cfb9287c25d708358d90470dc198bbf2 |
| SHA1 | 8d99526b7b4391cafa9ee8b51b3095cb81937408 |
| SHA256 | d233143a9cac3735e04968fb988904ed897afe6ce5d922e188b17b92bdbc70f6 |
| SHA512 | c9442f71c729e6c5057f220122d38e5bf874a80a3c080457de76ff4b323ecd835839584ffd3bd0bf2f1d09cfaf10083a6b22967012cc15157d765e412e0a76fe |
memory/1108-272-0x0000000000540000-0x0000000000552000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll
| MD5 | b4fb0f8f1c7d3330554f14be58489c74 |
| SHA1 | 76fae438cf030f16a4ded71fab66052bfb1c3ea3 |
| SHA256 | ab70cfe51c12f2c96ea13d09a15e9ed3ee64c2fec21a9bb162542e6ea7c313fb |
| SHA512 | 52c0b5f8acb0f78901ba5e7a30d74d10c2ae11665f434cd78adfa38844f745d328165a0f6bd0325c4d96a8e44736592db47ce21817f9be43101748e79abc577d |
\Program Files (x86)\kingsoft\kingsoft antivirus\kispublic.dll
| MD5 | 28bfd2d3a1da7666dc4d9c711ec5307d |
| SHA1 | 8c615199b3c86a31cf7657720b80b0f3cdc92de3 |
| SHA256 | 645300f84c647128cfea9a2243efec873d8a16b545af46b8f8e04ca8fda77834 |
| SHA512 | 5af1951e4ea9364535e795176988e718fbd409ac42302abba378b9f82d3610f2ffd5c1d879ef38e9f437d97b871964daadc3f6c45d571ea513608e20aed3a2cc |
memory/2784-316-0x0000000004810000-0x000000000489E000-memory.dmp
memory/2784-321-0x00000000050C0000-0x00000000050E9000-memory.dmp
memory/2784-319-0x0000000005120000-0x000000000515C000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\kwssp.dll
| MD5 | a4e9fa8912f6f8ec40e95f9e1965eced |
| SHA1 | bb41d0c0edd37d9c47adc72fc3e776d462c7e458 |
| SHA256 | a55ebc92af0ff7814c60db7169c9adcf9f07d7be496acef843c06ae1f2e0ed9b |
| SHA512 | a5fda075d1475272bfba081221d48c9a146b3f2141184259d53828bc5b4bbffa1cc449063f8c58f520d111ed085c19e4643f3677d097665f610078df05bc2d70 |
\Program Files (x86)\kingsoft\kingsoft antivirus\kxecore\kxecore.dll
| MD5 | 03fd3dcd6676c9054d28dd5ffd4dc7e3 |
| SHA1 | b9e51dd1d697cb7da3aa34fb71a2c3e8675d0521 |
| SHA256 | cac414a5ff64137515b461f274d216170461e61c4624c1a47e7b9ce97c99ece2 |
| SHA512 | 5a2025dbdc86dad8043d94fd9e1798dc5a988bcca2ba709c2e6f848d466f156b2695945221fbe0fe377019216864e978b0ad9c3e62a29b704b42d7a3b6287f07 |
memory/2784-323-0x0000000004F50000-0x0000000004FA3000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\kxecore\kxelog.dll
| MD5 | 029648eff830ecdbd28967afc670ad9b |
| SHA1 | e4e7f5bd3b3f692832167e2df947a8036ae56563 |
| SHA256 | d8ec082f677b68011c22327fa9fd63d1bf310ecce448d2db9f1335bcf4396f34 |
| SHA512 | 7606db9d12a24ce119a83d3ae53eec28feddf8d196dc93bcebfcde53f55c01578e9c0b15200220d9420e753daaee295a23758c03ffb90b3489af3deeb3528ea3 |
memory/1108-249-0x0000000000490000-0x00000000004A2000-memory.dmp
memory/2784-331-0x0000000005950000-0x0000000005B96000-memory.dmp
memory/2784-329-0x0000000004E90000-0x0000000004EA8000-memory.dmp
memory/2784-343-0x0000000006320000-0x00000000063B3000-memory.dmp
memory/2784-349-0x0000000006AA0000-0x0000000006ADD000-memory.dmp
memory/2784-347-0x00000000067A0000-0x0000000006813000-memory.dmp
memory/2784-341-0x0000000005E00000-0x0000000005E29000-memory.dmp
memory/2784-327-0x0000000004FB0000-0x0000000005065000-memory.dmp
memory/2784-325-0x0000000005160000-0x0000000005369000-memory.dmp
memory/1108-247-0x0000000000220000-0x0000000000232000-memory.dmp
memory/1108-243-0x0000000000490000-0x00000000004B8000-memory.dmp
memory/1108-241-0x0000000000110000-0x000000000011E000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\kxebase.dll
| MD5 | e05a31340db26e45f6b6bbd0c61f69e0 |
| SHA1 | 34985e0ec7d8d3e716d64f80c2a144e9ac462559 |
| SHA256 | 5a7fbf9f705c00e1a5c03c744cc3883f86e7782ea306151d83dc9fa9e4d26e3e |
| SHA512 | ba9be655d71d45dcebf23dd27bf468b495357a6dd43781fb4c4631e49543405fbc71912761032f564dc6785fb5bd5d02e55da86393818707864eb9370908253e |
\Program Files (x86)\kingsoft\kingsoft antivirus\ksapi.dll
| MD5 | 264085d017ed1fbbe3c6f9f415b7a014 |
| SHA1 | c785016f5f071e2c130ffcb60944133f607d1cc7 |
| SHA256 | dc33b0762e1bca6fd662621fb73624c0611f5238310afbeae4d3040bb7c142b6 |
| SHA512 | e6418f523941f29f8f8fed74eb02820159036ead92a449cf19f96f668cb51c63fd2820bf5beaad8f223e6396abca7ff3d21962fc1c01efcb2208bce55bcea400 |
\Program Files (x86)\kingsoft\kingsoft antivirus\scom.dll
| MD5 | 5433130b0379ea87682af93d269149ff |
| SHA1 | a6fbd1a4d11d0a206fc9fe3630767685c4a36389 |
| SHA256 | 34a5de00c7316371fe43d4e0243f5d60695ca39b0f1641c028497887bfbc4f23 |
| SHA512 | ac682e8713c4d03853ee2dd03c4d77a980588710719543a2c699c3cc58315282a18384411401e775ea605f452662ccbeebdd8743cae162caee6d223b600edd26 |
memory/2784-234-0x00000000033A0000-0x0000000003543000-memory.dmp
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.dll
| MD5 | 9e93bfe6a01354a5df4af3f98b382ed0 |
| SHA1 | a81a1df05e435e94cd12a2fa48f2a3ad528123bc |
| SHA256 | c71cdba6b7f54e6e5ac93d403bb77387b6e5c4cc68f2170fc07cce92019b40d2 |
| SHA512 | f966164884b9780eb73ccf87f0d84200d757d1a15f998d777987a631a74d1859daaaf3cb872014cb78576f2a701fc6c06202e1e4170c1ae0d0e302ec4a2a3e50 |
\Program Files (x86)\kingsoft\kingsoft antivirus\json.dll
| MD5 | 4fe9c6c088b3a46091feaf7032b714ed |
| SHA1 | 369c7e7e64bd4031b9609ae1689c02706e15aef4 |
| SHA256 | e5b80cbc0fa8f2eceda40274b17a65895aff36c8d3e06b597614942520ff227c |
| SHA512 | 37915dcd173516e8ed63ff0d4d197fda977a6fdf2de33b3b61ed304110c82cec4a3bd2a0d724fed9b75fdc3faabb5f8a64749aba40bc57450373b445989f8368 |
\Program Files (x86)\kingsoft\kingsoft antivirus\kskinmgr.dll
| MD5 | 115fb928e556ba9f16aa8ecd99cdecfb |
| SHA1 | da7845bf346a7fa5a04adc06ee5d4e9b45dfe3ef |
| SHA256 | f1c2dc88693b93d2486294aba60192059c69dda52e8caf8d11755e0b788582f6 |
| SHA512 | e40eae69f0485f083bbfcc6e2de767b917e9b10ccd0331347f43e29ab95f74903799f19209022df288cab5481735b5471c6c978154dd08c1dfa2a2a8559f8074 |
memory/2784-217-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2748-360-0x0000000004330000-0x00000000043BE000-memory.dmp
memory/2784-367-0x0000000007290000-0x00000000072B8000-memory.dmp
memory/2784-366-0x0000000005080000-0x0000000005090000-memory.dmp
memory/2784-373-0x0000000009360000-0x00000000093EC000-memory.dmp
memory/2784-370-0x00000000072B0000-0x00000000072C2000-memory.dmp
memory/2784-365-0x0000000005070000-0x000000000507E000-memory.dmp
memory/2784-371-0x00000000072A0000-0x00000000072C8000-memory.dmp
memory/2784-375-0x00000000097B0000-0x0000000009825000-memory.dmp
memory/2784-369-0x0000000007290000-0x00000000072A2000-memory.dmp
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.log
| MD5 | c69ee16ff006c5981bacb6817df4d252 |
| SHA1 | c1e8c876185d3f0da83083bfbd142eaa63f8b3ec |
| SHA256 | 5779a454154d4c6797b53f8b923d13285fb34b1f6627f36911d598551f915d36 |
| SHA512 | 9bdc4a5bd420fca0a338326c7a784cee1f8cc9c23a54ac2380279e610e2958c8785501440bdd3a733ffbca5c66c623f7ea4a8e01bf1384422164928310ba0955 |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseset.dat
| MD5 | feae6cd4bfc8d7cdd7be24e72bcd6871 |
| SHA1 | 6a9a6b7ed10555714e9d27797dcbbdc8b34e118b |
| SHA256 | b33bf5eabef366b273e4d110fbafaa8f11f5f08179215696362ea8f04117c0d1 |
| SHA512 | 804284d42dfdd4d54f3f72dc94ebca8e2f0c6c169176e642ef32b37afd57270e1274555eea238c06b0a568b1b0bc80ac4752e21e694d84eb6c073b33cb522501 |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\qsindex.dat
| MD5 | 61d440a52785de703b772fac1afea40f |
| SHA1 | b2cdabe9323e26e2ba8ce23d6eb15f69b35b737e |
| SHA256 | 93be62b02f5f8b883cb7b4ee7dc8dab9755fa6da74db186f661229f4a38617f9 |
| SHA512 | 14788e5a059e7254010cef2ba89ae452331516ba2abdb24b4d1877f9aa8b487ef2d94684ae1e56adabda1909d1102856fb1abe82bb9105bb890361b7f18f40b5 |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseset.dat
| MD5 | 1354e832704c215230b416da1140edc0 |
| SHA1 | 9af86c6a1e283cf2f23c38970bbe9c81a9824ca3 |
| SHA256 | 259c4afc2d6091a8341260fb20b6a654ecf1492ffa41dbe3147ceb1a48bb3982 |
| SHA512 | 74f8ba050adcc6062ba27ebec5e1e836ec586bbf2b40db9dec73d4912f539ebea796d9d0ad7fbfc88503eb50a72ade3efa8a417dc61f4dfe2a62373e2b5e8015 |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseset.dat
| MD5 | 4c27f121c37c75431a60cbd983378174 |
| SHA1 | c87de6f820f18131788932648fd0c70444a800e5 |
| SHA256 | 1a624a7a2523a7f7db8bbc17da2496b2e01321926fd2c9778234ca4928ec760a |
| SHA512 | 78b5861503b7a3ba0989882fcd0204372f6b048160c50e2dc7bfa3e987a084405e5f696c3bf00d719fec3a5bf42d5dced4b090d4d5a4a8d534f5970a88490a6c |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kseset.dat
| MD5 | 97db452da73ddc9a1119c04caf16759c |
| SHA1 | 015660ee9b4961dadd2695310739b2608ed8796f |
| SHA256 | 244e7138a0d5941f981ac5b133e0cec76685fe1734b9bd56775cee49a6b78b68 |
| SHA512 | ae6431b982c829a721e8372f6a4d8300ba2390a303a2efa37e5a7814c8a81e406375bbd80b203ac7dd6286fe7cc0e7f412eb5ecf5a4c6ede3b5c86084177af2a |
C:\Program Files (x86)\kingsoft\kingsoft antivirus\kislive.log
| MD5 | 597e2bc9f8804854e9c49186f2fdb112 |
| SHA1 | e95b5354a94f49ffb64b5fa5043833fb08d2efa5 |
| SHA256 | aa27206484a1e4b050518e1386e980bf2f2a8ee26747c2ff6ef8609d14cc0b70 |
| SHA512 | 93c5824ed1d791d7dd7cdaa67d6e05dbf24cc4a264f2ca1ec76606620c56c135ece593064812b821f99de833ce907e90e494a9133ee9c8d5017dedd53e21adfd |
memory/2400-731-0x0000000000400000-0x0000000000515000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kantivirus\~f762980\install_res\71.png
| MD5 | 3fd801d9ee0f5aff63cfdb0931b62ced |
| SHA1 | 77bb039b51457c3637f8e15fc54928fc05db3227 |
| SHA256 | 5e8df1266ffe9aa601a87f4d9e22e1f00d8c77d38e9e2715e7ab20ba95722eee |
| SHA512 | 65854eec7ec4eb4e9efe1a115e6c6c5c23111f773c61da772c1764f635b669ca835035750a24198f79fa078034828b6af846a8b54e79507b07d86ed411ee7cc0 |
memory/2400-845-0x0000000000400000-0x0000000000515000-memory.dmp
memory/2400-846-0x0000000004BB0000-0x0000000004BBA000-memory.dmp
C:\ProgramData\kingsoft\ksbw\ksbw_wi.fsg
| MD5 | 47d8dd713a9e27bda9ede09a5b9f2fd8 |
| SHA1 | 14b667c96eec8ef8d9ef2404b6ce6ef22b70f843 |
| SHA256 | 722586f2ead7f8e14bbc95e5f84a069255a3c21449daa03109ff81c6bae96365 |
| SHA512 | 0d37217f4a384d2e9ba876029f50ead9a01dc6d629de5482d2527e14881e836aef8ad53f677147c5a946964697bcf1826784bcb967bed29618cf1e3ee847f089 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 02:42
Reported
2024-05-09 02:43
Platform
win10v2004-20240508-en
Max time kernel
2s
Max time network
5s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 700 wrote to memory of 4128 | N/A | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | C:\Windows\system32\pcaui.exe |
| PID 700 wrote to memory of 4128 | N/A | C:\Users\Admin\AppData\Local\Temp\kav_setup.exe | C:\Windows\system32\pcaui.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\kav_setup.exe
"C:\Users\Admin\AppData\Local\Temp\kav_setup.exe"
C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {82a286df-6224-4595-86f5-90903d47fdc9} -a "Kingsoft Internet Security" -v "Kingsoft Corporation" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\kav_setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/700-0-0x0000000000400000-0x0000000000515000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 02:42
Reported
2024-05-09 02:43
Platform
win7-20240221-en
Max time network
5s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 02:42
Reported
2024-05-09 02:43
Platform
win10v2004-20240508-en
Max time kernel
0s