sakula | e9dc773fe8246ace37a19aad94ad019eaae4c026ab4b30d01d135762a1f891b7

Analysis

max time kernel
32s
max time network
7s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-08-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BHome.exe
Size

21.4MB
MD5

0c6978591a5f3cda55f0da83febbd2f4
SHA1

55c8874f825c010abcd5951683038aee1110ba18
SHA256

e9dc773fe8246ace37a19aad94ad019eaae4c026ab4b30d01d135762a1f891b7
SHA512

74b8be13cf24485b7b5a25a49fd322d7906c15408ad13b4253b4dfbbe1218fdff20052d89089bfa3663fb067a402d16b4ec3ba521678da8de64c5da55be248bd
SSDEEP

393216:UzlREqNYxoTvYb7VCAeXjE5g+W33hM2qAxJZApoZ5xzT+2Q35DvP/hdo:k/EqmCYbFeXY5g+GM2qARAkxHhQpTP/w

Score

10^/10

sakula adware bootkit discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aad3-255.dat	family_sakula
behavioral1/memory/3492-258-0x0000000004BC0000-0x00000000050CC000-memory.dmp	family_sakula
behavioral1/memory/3492-520-0x0000000005030000-0x000000000553C000-memory.dmp	family_sakula

Sets service image path in registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib2\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib2.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib3\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib3.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib5\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib5.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib3\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib3.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib5\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib5.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BkavAuto\ImagePath = "\\SystemRoot\\System32\\Drivers\\BkavAuto.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib4\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib4.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib6\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib6.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib1\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib1.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib0\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib0.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib1\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib1.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib4\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib4.sys"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BkavCoreLib\ImagePath = "\\SystemRoot\\System32\\Drivers\\BkavCoreLib.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib0\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib0.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib2\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib2.sys"	BkavHomeSetup.exd
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysLib6\ImagePath = "\\SystemRoot\\System32\\Drivers\\SysLib6.sys"	BkavHomeSetup.exd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BkavHome = "\"C:\\Program Files (x86)\\BkavHome\\BkavHome.exe\" /Taskbar"	BkavHomeSetup.exd

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcnancbdijenfaameanloddnkbjhfaal\1.37_0\manifest.json	BkavService.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2876549C-1023-4AA0-82FF-8ED7112D5269}\ = "Bkav Site Advisor"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2876549C-1023-4AA0-82FF-8ED7112D5269}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2876549C-1023-4AA0-82FF-8ED7112D5269}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	BkavHomeSetup.exd

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BkavHome\AppLog\BkavHome.log	BkavHome.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\key.ico	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\chrome.manifest	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\SmallIconFF.png	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\install.rdf	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\SmallIconFF.png	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BkavIcon64.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSafeRunStyle_FF.css	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BkavIcon64.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\bkavsiteadvisor.js	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavFFSiteAdvisor.dll	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavIcon48.png	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\keydis.ico	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\alert_FF.html	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\bkavsiteadvisor.js	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavFFSiteAdvisor.dll	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\ArrowBkavSafeRunUp.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\AppLog\BkavHome.log	BkavHome.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\SmallIconFF.png	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BkavIcon.png	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\btnBack.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxBottomCenter.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxBottomRight.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BoxBottomCenter.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\browser.xul	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\bkavsiteadvisor.js	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\AppLog\BkavService.log	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxTopLeft.png	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\key.ico	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\bkavsiteadvisor.js	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxCenterRight.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavIcon.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavIcon48.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\AppLog\Install.log	BkavHomeSetup.exd
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSafeRunStyle.css	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxCenterLeft.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\button.js	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\BoxBottomRight.png	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\ArrowBkavSafeRunDown.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome.manifest	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxTopCenter.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\install.rdf	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BkavIcon48.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\install.rdf	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSiteAdvisor.exe	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\BoxTopRight.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BoxBottomRight.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavIESiteAdvisor.dll	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\Temp\bkavcompfiles.dat	BkavHomeSetup.exd
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\alert.html	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\npBkavSiteAdvisorPlugin.dll	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\ArrowBkavSafeRunUp.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxCenterLeft.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BoxCenterLeft.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\alert_FF.html	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxTopLeft.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\btnBack.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\keydis.ico	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\SiteAdvisor\button.js	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\BoxBottomLeft.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\SmallIconFFx.png	BkavService.exe
File opened for modification	C:\Program Files (x86)\BkavHome\SiteAdvisor\chrome.manifest	BkavService.exe
File created	C:\Program Files (x86)\BkavHome\BkavHomeEn.log	BkavHomeSetup.exd
File opened for modification	C:\Program Files (x86)\BkavHome\AppLog\BkavHome.log	BkavHome.exe

Executes dropped EXE 11 IoCs

pid	Process
112	BkavHomeSetup.exd
3492	BkavService.exe
4440	BkavHomeUpdateService.exe
1828	BkavHome.exe
4452	BkavHome.exe
4364	BkavHome.exe
1092	BkavSiteAdvisor.exe
1440	BkavHome.exe
2328	BkavHome.exe
4792	BkavHome.exe
912	BkavSiteAdvisor.exe

Loads dropped DLL 47 IoCs

pid	Process
2672	regsvr32.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
2408	regsvr32.exe
1828	BkavHome.exe
1828	BkavHome.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
1828	BkavHome.exe
2592	regsvr32.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
1440	BkavHome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BHome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHomeSetup.exd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHomeUpdateService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavSiteAdvisor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavHome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BkavSiteAdvisor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	BkavHome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	BkavHome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}\HotIcon = "C:\\Program Files (x86)\\BkavHome\\SiteAdvisor\\key.ico"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}\Icon = "C:\\Program Files (x86)\\BkavHome\\SiteAdvisor\\key.ico"	BkavService.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	BkavHome.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	BkavHome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	BkavHome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	BkavService.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main	BkavHome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}\ButtonText = "Bkav VirtualKeyboard"	BkavService.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main	BkavHome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}\Default Visible = "Yes"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}\Tooltip = "Bkav VirtualKeyboard"	BkavService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2876549C-1023-4AA0-82FF-8ED7112D5269}\ClsidExtension = "{2876549C-1023-4AA0-82FF-8ED7112D5269}"	BkavService.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	BkavHome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BkavHome	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C461C70-300C-4BB0-AAE4-5AD033CA0B1C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	BkavService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C461C70-300C-4BB0-AAE4-5AD033CA0B1C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6DE3EA4-5A90-4730-87AA-8671F1A8017D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0301742-B7E5-4B49-8BC2-692E40A8053D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0301742-B7E5-4B49-8BC2-692E40A8053D}\ = "IBkavSiteAdvisorEngine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A97B29C0-426F-4535-9F29-CDC8ABE5DADD}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C461C70-300C-4BB0-AAE4-5AD033CA0B1C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	BkavService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavSiteAdvisor.BkavSiteAdvisorEngine\ = "BkavSiteAdvisorEngine Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavSiteAdvisor.BkavSiteAdvisorEngine	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavIESiteAdvisor.BksaPluggableProtoc.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavIESiteAdvisor.BksaPluggableProtoc.1\CLSID\ = "{AFBCA127-FD48-4FF5-B523-0E0DB4B8C295}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\BkavHome	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A97B29C0-426F-4535-9F29-CDC8ABE5DADD}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavSiteAdvisor.BkavSiteAdvisorEngine.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavSiteAdvisor.BkavSiteAdvisorEngine.1\CLSID\ = "{2876549C-1023-4AA0-82FF-8ED7112D5269}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavIESiteAdvisor.BksaPluggableProtocol\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBCA127-FD48-4FF5-B523-0E0DB4B8C295}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBCA127-FD48-4FF5-B523-0E0DB4B8C295}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6DE3EA4-5A90-4730-87AA-8671F1A8017D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6DE3EA4-5A90-4730-87AA-8671F1A8017D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6DE3EA4-5A90-4730-87AA-8671F1A8017D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67EDE076-3F8F-45AD-9E80-21B0C531E972}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67EDE076-3F8F-45AD-9E80-21B0C531E972}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C461C70-300C-4BB0-AAE4-5AD033CA0B1C}\ = "IBkavShellExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6DE3EA4-5A90-4730-87AA-8671F1A8017D}\1.0\ = "BkavSiteAdvisor 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6DE3EA4-5A90-4730-87AA-8671F1A8017D}\1.0\0\win32\ = "C:\\Program Files (x86)\\BkavHome\\SiteAdvisor\\BkavIESiteAdvisor.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A97B29C0-426F-4535-9F29-CDC8ABE5DADD}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C461C70-300C-4BB0-AAE4-5AD033CA0B1C}\ = "IBkavShellExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavIESiteAdvisor.BksaPluggableProtocol\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBCA127-FD48-4FF5-B523-0E0DB4B8C295}\InprocServer32\ = "C:\\Program Files (x86)\\BkavHome\\SiteAdvisor\\BkavIESiteAdvisor.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67EDE076-3F8F-45AD-9E80-21B0C531E972}\ = "BkavShellExtension Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C461C70-300C-4BB0-AAE4-5AD033CA0B1C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavIESiteAdvisor.BksaPluggableProtocol\ = "BksaPluggableProtocol Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavIESiteAdvisor.BksaPluggableProtocol\CurVer\ = "BkavIESiteAdvisor.BksaPluggableProtoc.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0301742-B7E5-4B49-8BC2-692E40A8053D}\ = "IBkavSiteAdvisorEngine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67EDE076-3F8F-45AD-9E80-21B0C531E972}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67EDE076-3F8F-45AD-9E80-21B0C531E972}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A97B29C0-426F-4535-9F29-CDC8ABE5DADD}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BkavHome"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BkavSiteAdvisor.DLL\AppID = "{325BBF8D-FF95-4CA8-BC27-2409A2CD1D82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6DE3EA4-5A90-4730-87AA-8671F1A8017D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0301742-B7E5-4B49-8BC2-692E40A8053D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavSiteAdvisor.BkavSiteAdvisorEngine\CLSID\ = "{2876549C-1023-4AA0-82FF-8ED7112D5269}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\ = "BkavSiteAdvisorEngine Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A97B29C0-426F-4535-9F29-CDC8ABE5DADD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavSiteAdvisor.BkavSiteAdvisorEngine\CurVer\ = "BkavSiteAdvisor.BkavSiteAdvisorEngine.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavIESiteAdvisor.BksaPluggableProtocol\CLSID\ = "{AFBCA127-FD48-4FF5-B523-0E0DB4B8C295}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A97B29C0-426F-4535-9F29-CDC8ABE5DADD}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C461C70-300C-4BB0-AAE4-5AD033CA0B1C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\InprocServer32\ = "C:\\Program Files (x86)\\BkavHome\\SiteAdvisor\\BkavIESiteAdvisor.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\BkavHome\ = "{67EDE076-3F8F-45AD-9E80-21B0C531E972}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BkavSiteAdvisor.BkavSiteAdvisorEngine.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBCA127-FD48-4FF5-B523-0E0DB4B8C295}\ = "BksaPluggableProtocol Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269}\ProgID\ = "BkavSiteAdvisor.BkavSiteAdvisorEngine.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBCA127-FD48-4FF5-B523-0E0DB4B8C295}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67EDE076-3F8F-45AD-9E80-21B0C531E972}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1828	BkavHome.exe
1828	BkavHome.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
3492	BkavService.exe
1440	BkavHome.exe
1440	BkavHome.exe
3492	BkavService.exe
3492	BkavService.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
3584	fltmc.exe
4284	fltmc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	BkavService.exe
Token: SeBackupPrivilege	3492	BkavService.exe
Token: SeImpersonatePrivilege	3492	BkavService.exe
Token: SeDebugPrivilege	3492	BkavService.exe
Token: SeDebugPrivilege	3492	BkavService.exe
Token: SeBackupPrivilege	3492	BkavService.exe
Token: SeBackupPrivilege	3492	BkavService.exe
Token: SeLoadDriverPrivilege	3584	fltmc.exe
Token: SeDebugPrivilege	3492	BkavService.exe
Token: SeBackupPrivilege	3492	BkavService.exe
Token: SeDebugPrivilege	3492	BkavService.exe
Token: SeBackupPrivilege	3492	BkavService.exe
Token: SeDebugPrivilege	3492	BkavService.exe
Token: SeBackupPrivilege	3492	BkavService.exe
Token: SeLoadDriverPrivilege	4284	fltmc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2844	BHome.exe
2844	BHome.exe
2844	BHome.exe
2844	BHome.exe
1828	BkavHome.exe
1440	BkavHome.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1828	BkavHome.exe
1440	BkavHome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2844	BHome.exe
2844	BHome.exe
2844	BHome.exe
2844	BHome.exe
112	BkavHomeSetup.exd
112	BkavHomeSetup.exd
112	BkavHomeSetup.exd
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
4452	BkavHome.exe
4364	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1828	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
1440	BkavHome.exe
2328	BkavHome.exe
4792	BkavHome.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 112	2844	BHome.exe	82
PID 2844 wrote to memory of 112	2844	BHome.exe	82
PID 2844 wrote to memory of 112	2844	BHome.exe	82
PID 112 wrote to memory of 2672	112	BkavHomeSetup.exd	90
PID 112 wrote to memory of 2672	112	BkavHomeSetup.exd	90
PID 112 wrote to memory of 2672	112	BkavHomeSetup.exd	90
PID 112 wrote to memory of 1828	112	BkavHomeSetup.exd	91
PID 112 wrote to memory of 1828	112	BkavHomeSetup.exd	91
PID 112 wrote to memory of 1828	112	BkavHomeSetup.exd	91
PID 2672 wrote to memory of 2408	2672	regsvr32.exe	92
PID 2672 wrote to memory of 2408	2672	regsvr32.exe	92
PID 3492 wrote to memory of 4452	3492	BkavService.exe	93
PID 3492 wrote to memory of 4452	3492	BkavService.exe	93
PID 3492 wrote to memory of 4452	3492	BkavService.exe	93
PID 3492 wrote to memory of 4364	3492	BkavService.exe	94
PID 3492 wrote to memory of 4364	3492	BkavService.exe	94
PID 3492 wrote to memory of 4364	3492	BkavService.exe	94
PID 4364 wrote to memory of 3584	4364	BkavHome.exe	95
PID 4364 wrote to memory of 3584	4364	BkavHome.exe	95
PID 1828 wrote to memory of 1092	1828	BkavHome.exe	97
PID 1828 wrote to memory of 1092	1828	BkavHome.exe	97
PID 1828 wrote to memory of 1092	1828	BkavHome.exe	97
PID 3492 wrote to memory of 1628	3492	BkavService.exe	98
PID 3492 wrote to memory of 1628	3492	BkavService.exe	98
PID 3492 wrote to memory of 1628	3492	BkavService.exe	98
PID 3492 wrote to memory of 2592	3492	BkavService.exe	99
PID 3492 wrote to memory of 2592	3492	BkavService.exe	99
PID 3492 wrote to memory of 2592	3492	BkavService.exe	99
PID 3492 wrote to memory of 2328	3492	BkavService.exe	105
PID 3492 wrote to memory of 2328	3492	BkavService.exe	105
PID 3492 wrote to memory of 2328	3492	BkavService.exe	105
PID 3492 wrote to memory of 4792	3492	BkavService.exe	106
PID 3492 wrote to memory of 4792	3492	BkavService.exe	106
PID 3492 wrote to memory of 4792	3492	BkavService.exe	106
PID 4792 wrote to memory of 4284	4792	BkavHome.exe	107
PID 4792 wrote to memory of 4284	4792	BkavHome.exe	107
PID 1440 wrote to memory of 912	1440	BkavHome.exe	109
PID 1440 wrote to memory of 912	1440	BkavHome.exe	109
PID 1440 wrote to memory of 912	1440	BkavHome.exe	109
PID 3492 wrote to memory of 1948	3492	BkavService.exe	110
PID 3492 wrote to memory of 1948	3492	BkavService.exe	110
PID 3492 wrote to memory of 1948	3492	BkavService.exe	110

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2876549C-1023-4AA0-82FF-8ED7112D5269} = "1"	BkavService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	BkavService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	BkavService.exe

C:\Users\Admin\AppData\Local\Temp\BHome.exe
"C:\Users\Admin\AppData\Local\Temp\BHome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\BkavHome2014\BkavHomeSetup.exd
  "C:\Users\Admin\AppData\Local\Temp\BkavHome2014\BkavHomeSetup.exd"
  2⤵
  - Sets service image path in registry
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\BkavHome\BkavContextMenuHandler.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BkavHome\BkavContextMenuHandler.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2408
- - C:\Program Files (x86)\BkavHome\BkavHome.exe
    "C:\Program Files (x86)\BkavHome\BkavHome.exe" /Restart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSiteAdvisor.exe
      "C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSiteAdvisor.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1092

C:\Windows\SysWOW64\BkavService.exe
C:\Windows\SysWOW64\BkavService.exe
1⤵
- Sets service image path in registry
- Drops Chrome extension
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3492
- C:\Program Files (x86)\BkavHome\BkavHome.exe
  "C:\Program Files (x86)\BkavHome\BkavHome.exe" /ChangeFolderPer
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4452
- C:\Program Files (x86)\BkavHome\BkavHome.exe
  "C:\Program Files (x86)\BkavHome\BkavHome.exe" /InstallSDF
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\system32\fltmc.exe
    fltmc load BkavSdFlt
    3⤵
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s"C:\Program Files (x86)\BkavHome\SiteAdvisor\npBkavSiteAdvisorPlugin.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavIESiteAdvisor.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2592
- C:\Program Files (x86)\BkavHome\BkavHome.exe
  "C:\Program Files (x86)\BkavHome\BkavHome.exe" /ChangeFolderPer
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2328
- C:\Program Files (x86)\BkavHome\BkavHome.exe
  "C:\Program Files (x86)\BkavHome\BkavHome.exe" /InstallSDF
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\system32\fltmc.exe
    fltmc load BkavSdFlt
    3⤵
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s"C:\Program Files (x86)\BkavHome\SiteAdvisor\npBkavSiteAdvisorPlugin.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948

C:\Program Files (x86)\BkavHome\BkavHomeUpdateService.exe
"C:\Program Files (x86)\BkavHome\BkavHomeUpdateService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\5ac5411b918c4b7790542ffca7f6fb00 /t 3688 /p 1828
1⤵
PID:4724

C:\Program Files (x86)\BkavHome\BkavHome.exe
"C:\Program Files (x86)\BkavHome\BkavHome.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSiteAdvisor.exe
  "C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSiteAdvisor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BkavHome\AppLog\BkavHome.log

Filesize
616B

MD5
2f16565668bd17d54d47f2b190f14db7

SHA1
018ca61f07597befe7a996e4dcb8560aade667be

SHA256
b9abc40d3a235f36af2575ec097ab92a819888f0a068071b678e00519fa9e1cf

SHA512
653e181da631f95631c610eb2bfd487681e85f277d73cdd5d8da3b065b8c85621ada40174fe569a35e0a647d5c35db09a4a81a28a7226eda4261e31ab27f1b19

Download Submit
C:\Program Files (x86)\BkavHome\AppLog\BkavHome.log

Filesize
665B

MD5
201c0b8cacdf5b301237f03c5460a246

SHA1
6ece3302a824023996ca1a89ce32f46c1a56a820

SHA256
6f5e1001a6235edc636ea356171b8faeb9f7540df91dc25f8155c0389e243dc6

SHA512
60e39b4f9dc9664c322d0e18d1fe1900ecbee6c0431ab04dfcea7bf3c8241b0ea6b17398b30f25d426a55274926a224080236e4bfcee9bd1dd0319e0623e1c77

Download Submit
C:\Program Files (x86)\BkavHome\AppLog\BkavHome.log

Filesize
786B

MD5
950a64e390e76e9eaf53c205eb255d96

SHA1
4841f5bc702a09c39c84d08650ebe3d15c55580e

SHA256
275da626effe0d8561d8f881eff6506b505fbcb8106c28a5605fea4fd27f2e1e

SHA512
888922a056257c29fe50e3e53c180a3798cdfa088abd5b76cdb99c7ab4d004a9a49d2e0a292816fb39a5de35a40aeb56e475792c5dc44a4ce78a31e4a8b9d18a

Download Submit
C:\Program Files (x86)\BkavHome\AppLog\BkavHome.log

Filesize
1KB

MD5
a51f00aecb7d5ea9c7145f0f6fa692ec

SHA1
98da6d75efb73e987fded56df86a7ecce3583fb7

SHA256
934c863f88a1596825439257193101a273a9ca7a32a2cdcfda43c3703df422f1

SHA512
75ad13d27e15eb5718db968040134d1c0a6777e6618cf547c3c0383ab8e943d79581c17cc6c2911b3cef2b48d1848084cb11a0235a3706206ae6e3aa1d488145

Download Submit
C:\Program Files (x86)\BkavHome\AppLog\BkavService.log

Filesize
74B

MD5
610314ee88869441ad47a51468262113

SHA1
76317cd05f2f56062fca94a04522b1dec24ddc8f

SHA256
d67b5cc39883e313bba8766caecd716e0be167935f4f8929aa041c4e53cd5e36

SHA512
990af8ef0c5ed217eea17df3cba4d15b7fa2cedbf98494ec9fe9b1dc33ac8c2754daea80b97af7d74fcf090e9cf7a4b30d4f04a88933aa698e145c8aefc76974

Download Submit
C:\Program Files (x86)\BkavHome\AppLog\Install.log

Filesize
4KB

MD5
1d937557ba3c84e0f2c68b00a36b742a

SHA1
a122a254b1f87e9f386bc1019e9f9359ec286c82

SHA256
7175a74e3a8acb87881ca7ec3bfe934619292a5924b27f4da59b5f7416e0c878

SHA512
87101b886b664826d868b6af2b0debd37d91d4b1db688c62b7e55fa906052cc9f996cc3f375abcf9632ce0fce2f18287e834053469863c9d3ced3008eb74c05a

Download Submit
C:\Program Files (x86)\BkavHome\BkavContextMenuHandler.dll

Filesize
118KB

MD5
19f79d562875497545654fee142a58e7

SHA1
0f3ec94d55bb6c7562e8b26b53393b45bf56324d

SHA256
e29955605bd14ea4d0a2bb35965ad6d9cec41f1b5d80e3824e332ae8205c2066

SHA512
b8abdf11229bf1281536bc89b2a7f51ac95878bfa886952b2ac15722585fbb22d291a9cca44efdc3f2a04e65e830804061598f916520e9f93858fb5a79764f89

Download Submit
C:\Program Files (x86)\BkavHome\BkavHome.exe

Filesize
2.2MB

MD5
50d850e724b7716ad0bd094751177151

SHA1
47caa242895a426fbda613cea4ca3ffefe3c1bdf

SHA256
9a0d92b98b7dd9340c22600e57df6482784f3dff97a7c99de63b8fd73a15236a

SHA512
a5ffff38a7bc185232646171e023010502694bd40b30d0f493db4d1de34807d83bf8660b4331a3c2fbff36f71ce7fa606ce9954f1ef7c672adf620bf53bae5c8

Download Submit
C:\Program Files (x86)\BkavHome\BkavHomeUpdateService.exe

Filesize
211KB

MD5
b72b491132637c3eda85667569449d35

SHA1
1cc50670d4a42a16d00af204dbd2084064cf0dcc

SHA256
6596363ab360640c7759fe6aa764d8b24ba64bb84ca0b8f4f10a4dc3875b1abd

SHA512
e79a9880fc70a98bd8fd2d0ca55dd38da8fafdd43156ff16cfd6d0cf55af74cd5edf9f69c515619d53795c0748e4cb6f926d52e0ab363e127145ba408201f9d3

Download Submit
C:\Program Files (x86)\BkavHome\BkavHomeVn.log

Filesize
325B

MD5
f2599c101961df6d4b652d712cd35df0

SHA1
6868b00031b74003ec32020b57ecb1642929d91a

SHA256
c239fccc764b06b5143cc7cf9989f77bb069969a36c9c807abfc705d35aa0c3f

SHA512
024d7a250dc3f19eaf20f2c718d0e6bc0f21b5945925ffd3b6096981dfd62b3f3f56d4e424dd81c1e1372135e5cc24ef79562315a88bd96838b00ed57822a7d0

Download Submit
C:\Program Files (x86)\BkavHome\BkavLanguageEn.dll

Filesize
22KB

MD5
7989f94fa979f6ca91f443512432caf3

SHA1
b371e987699e3b134a6daa6665a9638383cd7689

SHA256
e6e5b1f7ab55f23a4ddb8bccd9ee8b4453375b4372d546d562dc0d184d52587c

SHA512
f42a7799202b373f802316b7d06f6f37534577f9ba539ad39e9acd9c93bc3ad6f63851a507b071be18b7ebfa9b83517e1dd9386377a11ca33cf3d297fc277300

Download Submit
C:\Program Files (x86)\BkavHome\BkavLanguageVn.dll

Filesize
21KB

MD5
01e4009921321b3c512528196c5df3ff

SHA1
61b7cc9a31c024ad27eda2afa301f97706bd7a37

SHA256
218464d22df4958c3edafe72d2187f99f1e27640fb7dd47fc038038d63888149

SHA512
a23588c0d855d87c304b27b5766f8b42959351ea97b7100fc26dd6417701d2e829162ad1c803716ce5e7da4c59b4b1e01119f30fce1f8ff8d0542a140ee3b45e

Download Submit
C:\Program Files (x86)\BkavHome\BkavRptClient.dll

Filesize
1.6MB

MD5
2edf43f5662902cb68feaf9c9b5997c2

SHA1
7275b6cc767b67c8a297e60cbb2a256808c6a806

SHA256
cb9dec3ce799a2ef42e7580c57e59d9fccd125c77ec1af9abae200cd85da337c

SHA512
fa7e293bf395b1526991c45ad2028a32cedf5018ef902a2b46731a9c08b489fe0d1aaa8197076a1bd86cfe046b222220199a30a0f3caa72a0171f0dfbd843343

Download Submit
C:\Program Files (x86)\BkavHome\BkavScanDll0.dll

Filesize
252KB

MD5
7002284294743dabdf7719ef832bb7fa

SHA1
3ad440f1793f8e56e400602b0c76f66e74fd8854

SHA256
e641050a5f60786cac6703b1750b7d64c61094637d5d50e7319e20046cef498a

SHA512
b5932a5809976b01bb46fe2a942dc52d2d8863b5d637e4a6333dad989a1ae94a308d7e92af0f82e1c7604707b81b963f0dce9eb5141fbe6d3b42c02ec9d40a4b

Download Submit
C:\Program Files (x86)\BkavHome\BkavScanDll1.dll

Filesize
876KB

MD5
9b264ab97e3682c14d40845571746d1c

SHA1
c5d199533882795232b58d0ceecb4a6275d4b1fd

SHA256
bce140ec0f49ab298da931d7fa9acd0468b7927ee09117b9517204b85d634573

SHA512
30cb06cfa55dfb09ce299f12ccdcc79fc6a959fdc0c8187a1f096c19dc2c4e0eb70c3c1f38b4f86970f6b215d78d04deb7c7646eac0241bf07c12713516389d9

Download Submit
C:\Program Files (x86)\BkavHome\BkavScanDll2.dll

Filesize
108KB

MD5
6df6c10c9c423efc38155d582c088996

SHA1
2be721227feb8cd4bcf1cfb0663877d8ea87acb3

SHA256
f5280affd6b3620b399adcc0a7c484fac26863e55f9f03dafb4beea00692c848

SHA512
05170226e6244083f9789bc7f2d94d65b9e53eec7303ce66a78742e799beaa97148b026106ad4fcf4d8d4cab50fdee88ac060cd77183e41413e6f183e6a55236

Download Submit
C:\Program Files (x86)\BkavHome\BkavScanDll3.dll

Filesize
7.7MB

MD5
d07f4f229220c9f35da15f05b6faf8e1

SHA1
a603832a0b2dacf52a2d02848b7dad2161e80efc

SHA256
3fa9eb81ba7576d2c4cd255fe1cf3ff4b04830eea95f5fc12e91072497cbd956

SHA512
1e2ad1b257f6cb08df78f3736c551857255ab39eb9435a457caf9c403b9e39605b89eac1e9d1fdc47336cbc58b36ab8d0dadc47648b6a670e586ebf72c4439d4

Download Submit
C:\Program Files (x86)\BkavHome\BkavScanDll4.dll

Filesize
10.1MB

MD5
42dbf63a5af4a5f22049f8aa34d667c4

SHA1
1de62d82109dc6726ef3b75d5b90272a2690eb16

SHA256
4651458d5c4a3b53b367a4032cd34f8865e2b8a9d58fdfc4e5e0839351f3c254

SHA512
b8cd0132632056d77bbfc2a4f45a2ec7bca1d5d61b18fbacbd066758fac235d2d76fab64ad8f49d7058c6650517ef2e85643d83c24945bf13bc63005540fa8f6

Download Submit
C:\Program Files (x86)\BkavHome\BkavScanDll5.dll

Filesize
9.1MB

MD5
02f23c37541e40fe626bcd574d38ac1a

SHA1
bc99b33f08f79aa9d65efe6badbe1fdd5f60534d

SHA256
0773731226035dae5d1254cb99fc28e84bd2b8b56fe7c5a23c55e6be3873f658

SHA512
df1afb3784dbeeb926db7f427aae856ebd38b10b2c16fe014162956210a57f2f06d0d5346bbfe456288c00dc8840feedd5d9ba227fc6333bfdcac9d5c0eeb2dd

Download Submit
C:\Program Files (x86)\BkavHome\BkavScanDll6.dll

Filesize
5.1MB

MD5
18d2e4c2afe7200cbaa6030006f400b4

SHA1
03054af951a382794562fe61ed67e1eb8ca9ae9b

SHA256
bc794c08b5f406b4d426054d2c294a5a7e2b966302d2b3f66f2e2bfac6d28212

SHA512
2a88081f44bb8732c0f0e019828269bf1b01ecc30bc933924af33fdd008f1afba1f1124df593b46783e1004c169342b724acfac2650a3f4e93461eb3403462c7

Download Submit
C:\Program Files (x86)\BkavHome\BkavSiteAdvisor.exe

Filesize
1.8MB

MD5
c5ec342efa76b125290d04d715ddace6

SHA1
f638e0d110754cfbb1667e30a60bf37bdb86f4a4

SHA256
a22a2584f387d4be1a379fc5d42ef752e26c3a49d3520b65dafb2b5df4384f6b

SHA512
c6c4e49119be51377f28122830a778b15711d69da43765a557c9cff82ee4ab78a4ea5386654359e3d0e0de9ddee19ad8f46872376db865df01c96d99c538e3c0

Download Submit
C:\Program Files (x86)\BkavHome\BkavSkin.dll

Filesize
1.7MB

MD5
77018cc51a7fe24742629a9a81835a18

SHA1
3275d59cc0c0fde2b452684d46f1a62cfca4cfb4

SHA256
6bc4359b340a63146b9f3dd77e369f707b9bc7e8fb21c51708fe8d27e529779b

SHA512
814558012d4c66dc07c7328e096edcbb28dd2301508c1543903f2c5670def61cab9ce49b6d199ff0aa723056cb7fdbb018a2f7e27a4d61244d642d231a749992

Download Submit
C:\Program Files (x86)\BkavHome\BkavSkinManager.dll

Filesize
140KB

MD5
078aebbc7b3d1eeeb4fe9acb11448be4

SHA1
d826605fcacafb8959480326bcd5a39a3de251f3

SHA256
873821d9661d431783822aad684996f6d77345fefe684d2657bd94b34a5851b9

SHA512
7521735956deb67ecef0c52e088157afefecaca94af34924da4485593043b2454e9541a50fb7526902eb56bc77763d08606bb168f7fb48c683836b267f75b571

Download Submit
C:\Program Files (x86)\BkavHome\CommonFunction\PatternCodeTable0.dat

Filesize
2.5MB

MD5
62b183b30f5dfd39c95ee05910c796ea

SHA1
93509e28225a7502f2a3f9d43d792ac2b5a7a7b4

SHA256
7d6be381dedc815a658903bdceeb68e7dee3337d3f2f5a9ac54f5d002b7992c5

SHA512
55d965f2fbe9b0e2b8ccb76b9cb098fa938f4e3deb9c696c930d29aba7e9bad88876ea633bdd90b908c0cf24a8313a530df720fda54a149ab498163ecc50e3ec

Download Submit
C:\Program Files (x86)\BkavHome\CommonFunction\StringDB0.dat

Filesize
196KB

MD5
8eab0fb46724907cee29a355468ed9f6

SHA1
8e3d57572fac142ee2df225a3706eca44b508010

SHA256
b5ccf66becde4b6d3a09e0fa7da49a9cc2b9624d777ccda5b6b25d067955ad63

SHA512
d805d861ba4510176ce986fb66769b3fcb77a36238a0cba3755c1f949b24ea26d14fa6ffb0e572658201e5176fa716b87822f26a5f524961fa95b59285585fa6

Download Submit
C:\Program Files (x86)\BkavHome\CommonFunction\VirusDef0.dat

Filesize
3.3MB

MD5
4f39b31bdde5f5bb58000ef41bfc4064

SHA1
efc4bdf789a90a4b5c6eecc1a824e2358dce48ae

SHA256
520dccc6ab1f2f8ab45be5302e8ff1efb0ec63c437080406fcf855dee0f8082c

SHA512
5e0b27423c0468a3d0351de990e7263df8bccc9e77e1fa602ab0aef8ea79b99e22958dd77e0bb34222206ecc0418c28077e7738d540486e4ee0a0ffd7081fab9

Download Submit
C:\Program Files (x86)\BkavHome\CommonFunction\VirusName0.dat

Filesize
1.3MB

MD5
d67456618987f46920fed4e9d9131cc3

SHA1
b10292909e61aa35135089935a4dc0aba98c7d09

SHA256
2746d65a0605829d5c9aa459fbb1941a515d10e85aff4caafb9ecde8348da8a1

SHA512
f5cfb7e4ca9899953ff5dbb9e309503cc4b4a4b49c040250878634b723165ac540096192776a0e3fc4761d4f7bbde06a12ba57aa0ba36bcaf272e18ae0604df4

Download Submit
C:\Program Files (x86)\BkavHome\CoreLib.dll

Filesize
81KB

MD5
8053f8edfe1401f56bfc6e8e5fae55b8

SHA1
240a5aba6bef8e33834de32a6b52547fb771cf78

SHA256
b354dc0f47a0ffb7abcdecf0fded8971204985497fbd0b17aacd5c3a9033d34e

SHA512
48b7edbcfbc815e369984461fdb66b3457d176cb597231fa9d53ce29755d768d7e6ae897b379ca631d10cc9857ef49a4cc2df627e34fcbfb1e8fa9184187fc5f

Download Submit
C:\Program Files (x86)\BkavHome\FileList

Filesize
2KB

MD5
784b3fd8802907d9c4feaa87ad629dea

SHA1
2583422539dfbb9b822408a58c8e720ebbcc235c

SHA256
69206d6ab4195bdaa5d45464d0c80519614d2ab76592b08e5681b19d6097bc19

SHA512
fc46836354328d0a5480aa2243a3effc1ae50e080c06fc27defa0d58640c8e6c1668d6dcf868073eeba272a6829123a11faad479bc771535dd226396abef1c0c

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavIcon48.png

Filesize
4KB

MD5
64e5c9652be8e9a16410a8a09f10bab4

SHA1
0958fb45faab76c7f2e282f1f3bb01515f973b0f

SHA256
c1322d99bb69fd74cf53981c9014dfdad6f4a544ca5fc1ed5ea97d6638745a6d

SHA512
f133ba15d406e30ae6bc9d2a774d3b9dc34be365f426122d7066e87669517aa30e12a28117450f584fc639c7596ecdad64362f035575d645e9c6d5370066cf7d

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavIcon64.png

Filesize
22KB

MD5
c073b81661e399e4badc4f3e5d4b9ac0

SHA1
336c9f9bbd9514ce1ed63799cf59a18d5507c851

SHA256
ef360a5fa0c6ca5ae7e7890030a414f57d4b3fff242f24a1418444b1585e2240

SHA512
22a1c2297e4acf8ec0fc69aedf6c0f113084462da32f37c1f7ed2532b5c4888d86301f0d6bdb3b96598b5c56ce7c2e720b603c9caf620edd86ec0a8bb96424d5

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\BkavSafeRunStyle_FF.css

Filesize
2KB

MD5
23b8a6c178eff5020d1688ba4ec56947

SHA1
fe88a598633a1d6c352a3cccf28f48677aefb7de

SHA256
0b81d076f74a2ec5d64101dbcc41a36950398415fa79d9c5afcd7eff263e79d4

SHA512
844aa611783ffd54da133bb6f8e31f5f80ee63c81e46014204e28cbda9b2bebdfd45f9435e169b48f0e6ef4d092643438aa6c4068fe458ae9d162ca20bbd6d8c

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\ArrowBkavSafeRunDown.png

Filesize
2KB

MD5
68c28a87738f803b83f8be1cf300eb53

SHA1
f141fb3f78e58e3c18120d5996bfcd6276308a6d

SHA256
d20df2074f79ccdc849aaa5f0675955aca4f9741cdcaa845fedbc87e78d8d6d4

SHA512
bfd122afe76cdab644eb9388691a65a1099aa358c1ef183e72a8d552cd55885e25809fa9a2f317348c42d9da971b1026d0efdf7b4ec02456f360ac09c916ea93

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\ArrowBkavSafeRunUp.png

Filesize
2KB

MD5
032574ddbb8497148fd8365a5f5f2895

SHA1
e93fde57bc8f759bf476a1187cec466d0f235390

SHA256
1207ab1c69ff9b43a625ee3e62eabe78319d06f83b9321610fd44b0d7a81bc9a

SHA512
2c67fa5880eecd9639a103ef94daaf23888a7d5ceee9df154f2f6563b2b8d57bf52d73bb7e52e7409cd970d95014dca9d80ac948854e431b4cf9d4aabe9a28d4

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BkavIcon.png

Filesize
16KB

MD5
802eda5874b317c0f41f9e57bc80e35f

SHA1
3a6307faa7403031a9b26528938655af7f3b3454

SHA256
adc6c1bf0c392e912115b0228298497771ff4ba5bdbdf168a7e94ada179a0688

SHA512
b554643e5fa1234e4159cb679a353f60f3acea9eb3331cf6c11976be0e2f486e27ece26ab936385156009e8970b36f7bffb4b4e7d6f473addb242bc0a8adf98a

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxBottomCenter.png

Filesize
94B

MD5
583a2cbc4264087a599506bc7883831c

SHA1
c0d39c07894b22e58d2ba4cf9534231c44672bf6

SHA256
353513e37154f698778f75783a1aab4a96a28ca319e5e567905af5be65aaa16e

SHA512
39ff2013a435bf7f07971e477fe42bdc4be309771da05e3d3b166cff313be3420dcfe0fb500c633dd6f47cc6d697bec50be1e0c0df89656eef8a6cd48bf556cb

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxBottomLeft.png

Filesize
2KB

MD5
c09c7625aa0639a3223666254ced6637

SHA1
d8495036cf0b37631dd833d802db5b0868793163

SHA256
cd5369d0a0407afb2d672bd4f6149eed8ea9cfc17926aeeb20561dccf43bf6cf

SHA512
4817e5c2592e842fdc76a07f9d14fc72ee20922ba2cd0a5ac92eeaa36744a02adbb235c582510ef86f0fff769f4dada50f0d219ecd8b9a862a0d9c8e397e2954

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxBottomRight.png

Filesize
2KB

MD5
eeedb2b016139be51fe44d1bde0c43c3

SHA1
368e2d8e33800221b36a85bd2e059b327cc8f5a8

SHA256
1797a18e6c0df9bd4d15517ac9e6c539a9d711c513a4619d783a364cc2e6eb08

SHA512
9ba92fd5ce6f2c5f05b7cc04cf75d4193ba5fa69dbb52f6ffeeb88539a3578389fa67a42894d05b8109d6656186975d6f06fc1d91d09a814a6f808097eabfd4b

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxCenterLeft.png

Filesize
93B

MD5
a5dcf12af07145c6b04a38607784ce9c

SHA1
70caa413db0ee8cf0ee35b6bdc778bf672107a17

SHA256
aca445d7c9bc6a860f8502f40c73f1a7d238e7fed8ddecb831a01a60867256f8

SHA512
1f94ab22854b08e591effe73e9e6eddc56fbd706d429a9004f77d548071df47b27b1fa1bb32cc58b0c08fe28b653d8ca8f8fa84f30293c72712eb9f793e02258

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxCenterRight.png

Filesize
92B

MD5
3f6bb7c6a81603715076a1cdaae54d56

SHA1
edc39f56aca85cc3967db219a7fa24754070f3d4

SHA256
9cae3909d8f81f167e0c33af9dba7b01c204bda7663b644279e2fc1ffe99de53

SHA512
0beba13d22615c13964011113da04fe88894ae9fa5f2b839c67eba4dfa46cbe7b7d93dc187dffa29ca4940da9ad3ec60028ca806fc712872c9ce89f707d29cc1

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxTopCenter.png

Filesize
148B

MD5
3e8f0c822118449dfe86022dc688752e

SHA1
b48cd9b79113aa1a29de89e5471a872bb689244e

SHA256
5ac57b3553f3b3b352b345c2a4455424480124157007112fadc1cc9a5d2fa152

SHA512
6a4e56ab717af76ffd9a339788d1866e3c1ce9e7e8eda4560bea694bcce325b983999d28782521ccde14c6193679472b72070c0c56e69e1d31de4288624c35ff

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxTopLeft.png

Filesize
2KB

MD5
1a127f999fdd90dfddf005f40dfca659

SHA1
e770aacc18afe0fae763042ef985d0b321e1300b

SHA256
70a228eb5b61e9e27db0d7bad6ac2cc71949e97e9cbe7ba1f102d9a0a42e3f3f

SHA512
395d1b946cdea74863c1ff0d895bf30270da2eedc5497203fa14a73da22034da8c3b4c3469341cdb02569e9f1e8a12c370f223ea03aa30bb75d73557aa17ce12

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\BoxTopRight.png

Filesize
2KB

MD5
59064033aa98e75cc102fa997105ba02

SHA1
713a50cbb31defae984fcb21d494fb8c5a9b7905

SHA256
b66898909715ac48ef7a0149515a8b295a3359dac28d3ddbfa79eb5523a003d7

SHA512
03b6653e13b9c0528439c16e1a0a1536511cd848502147b0ada3b77f15f841384a45c585323d6a81226812609794a68670fc4eabf20a00bc3f27be7af359b268

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\Firefox\chrome\content\images\btnBack.png

Filesize
1KB

MD5
95c4b7fc5c49bc776ab03525ca22b095

SHA1
46f2834c7f5f37ee68eba6a43f536e196b6c9092

SHA256
bac7ae43397784c53cc7327780ce2f63b580f8d7bddce99acaf782f1d13f0b0f

SHA512
0ca8602039d3905ba1c8dbfb86da7d11f41a1f1d9321c2a13b6e18697bbb844ceeaf86a90ba5dd43ccea5a2d5858bf50e901eb6fc49f48f3580672d76ce24e70

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\SmallIconFF.png

Filesize
3KB

MD5
6846021af4515ec453f2a6d775af09c7

SHA1
d8fc9c4258e26cf98e15406b01aeea342341dabf

SHA256
aa0d68e701621450132f8c8b15733787d05cdcb66a6cd1d84afb3fc95d824c1b

SHA512
8b97105177cba47b0db994c0c4b0a9c46ccd742ce816275a139a9357e3ed3ecc0d411cd030e589f8c33c6463e4f1f1e433b9ec17b0b9ea9edd717f2ea2def6eb

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\SmallIconFFx.png

Filesize
3KB

MD5
8e74ec235d923359b7bbe8c51801741d

SHA1
76a7e038c35f6110d63acd269bfc6264748cbd9a

SHA256
27dd54a51530451585439f6d819cd75bbff7c086a1258e32c052d4324cfa088c

SHA512
df938595a43e06bfa661473f417fa1895b60ea7bf93f8d9dc435b227bb38be6b4d26a9298ef12994a05d26380dea8391829bca603d0b607480baa44372229998

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\alert_FF.html

Filesize
12KB

MD5
c78a98b6f6538b1cc13adfe43b6b65f4

SHA1
92dd2597b9b1e67a291235c2a0f2d70628574857

SHA256
33a6ce419b1794103dad8d7c9b737e4bae44ba20405969be4a81871488c59ede

SHA512
b4fa4e9e1ced68b9c5f91ef2d10f5ad76fd1cfb1c41aba2c71a17493b7138e4cad2bc529b4e4de07a7923b7d2d2289a3b1c77c23d530c70d03a19c5e3e20951b

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\bkavsiteadvisor.js

Filesize
18KB

MD5
b1e50d90c7a0f3bc9e10c86516783ea1

SHA1
1d4bfc2506b28a74a0ecacc7ce6637c73e07e870

SHA256
11898081d9961c73f3ae1bc7e7d8ab0abcc4f172d4ee751e9d0cdd2f09d70e2b

SHA512
99048568c8ce46706fcf486eedbd15e5e4300cf94e19a4a4b945cc7e1437878bc61fb76e356cf325314916946fd2ac0e317e258791caaa2487ab7a5789b3db32

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\browser.xul

Filesize
830B

MD5
2bc810522aaeb7b2cf067ad91a4ce7bc

SHA1
07d5043e04d40af1b93e1551c1fb52e5f17cd8d1

SHA256
b94bbdd0c63cbbdbd16ba30d25cfa6d964dde3790160ee860780af6d4ecea0f3

SHA512
e47eb55f8cdb42c4656a10a45cf501087119250f38b9f92c43a9100b4eabed9b838ea93689f078812c8a508d0ec37cd6cc42b73aeb41bc9ac2afe0a1a4b6acdf

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\button.js

Filesize
2KB

MD5
06d08b3564e1b7e71768b7317a4ff14d

SHA1
6206b61b2453caebddcf1ef5c8cfab5dff93cc21

SHA256
0463fd3945c16256ff65acc17d62df49518d44d2b87daa0743ac2df6c9042902

SHA512
e0a9e7ec44b3edc25054c53ab85be7b8c718c1c44d70f3c9f4270c89ea20dd5d1320c3e10ff71a5a44e15f2beedeff294fd23bfb383a2b7fa3c4cf3970a8878f

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\chrome.manifest

Filesize
314B

MD5
3e54619b4770c7464c8efdc911f1d0d4

SHA1
0c61dbd75bcc7c3c0bcfd6e3191ab9b5a784a3f4

SHA256
fac4c7184f5969ffedab81986f4cdb38bddd60341afeb2bdf3d3a71a7b6ba7da

SHA512
fbde3d805eccafc466696a87aa51df8c23bf4c56dfc84609ab6a7a3694d5bbf0c4f643e5836c090d8e54f2a560fbe15ec1ad4e5a6f58a104c18e901fb1af9e8e

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\install.rdf

Filesize
839B

MD5
a052c4de9b77a29b9e473b2a0b8e8531

SHA1
8d82f223911552494a72803d2e2bcf84a2287da8

SHA256
0a17dcce0e861dc9ad9e67d9de84f968c8059eb5be74a14819029deff1f6f5d3

SHA512
f6e68e7bfc64334b02ba30a05a4559bfa703c0f9e7ec79fbbabe0281bbc28b5f6762e922e33a42171137d865f5e54e9fb2a93d71682d8cfadbaca07bdf0725af

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\key.ico

Filesize
24KB

MD5
5035218ea43224b2e36981bac9188878

SHA1
aaa0231639076e2a135dce9cbe3b1944cd793e2c

SHA256
11c063a77aa03aa5388d21003b2ae1297f57710775aafb03c29f6835cdd49359

SHA512
a454aece653034e9484c2b2ec7a8a1d0baa961a69aa0faa6a8857e51849e22d667aa899a0b2fa803e0e071b19b41835006f83e6d7a2f545beeb73d9219cbac64

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\keydis.ico

Filesize
24KB

MD5
997590c0c50174f632bd05f36a5847f3

SHA1
c9a253da029a1e30a7d14b6f13071317d76a86ac

SHA256
c94e8f6cd9d961c43192a469cf94aa3bf0a4fd6730d4dcef20af73ab6e563ceb

SHA512
cebf1fd188bcc8c076807831385924d2bae3ccd4af2e265f66b3ecc3f5f582301c32e6b4d4a0e6bb23e5368f8ecfb526451c92a8d8fdb9a4a0fcee02e3b3d1fd

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\npBkavSiteAdvisorPlugin.dll

Filesize
1.2MB

MD5
265df5b9377db0438701b287e1a5c24b

SHA1
71dac3173b6c6f080fb8f7030ac4a664a85c527f

SHA256
d5cfc99fc8ceec09808a1e0ebe9dcbf132a5d3be554a80328009922abec16117

SHA512
86ed415e6719730e0d697bff729f96c92f34026657bcd23e8d62cdbd6e1f0068480f9d72d040df1010636ad3ad06c8db2045a2e81da9aebe57e9e9f3c52016c7

Download Submit
C:\Program Files (x86)\BkavHome\SiteAdvisor\plugin.js

Filesize
8KB

MD5
9a7a91c98445c8936f07324da6ad18be

SHA1
f9d63fbf2acbb64e45fe1aef1d37837e7fe1a363

SHA256
a27ba7aadd2390938c645b2ac2858f9ee8235f3b0073cfd7c9aae74d8ad049dc

SHA512
3aaa801f3dfbec6d5ea1718966e3ac19e0da6aac43dfb26e2ee8ba4b0f2a5860e6d4858549f3490f3a38367b63eeda7b4e07f792cb640671af7e1667860b93e4

Download Submit
C:\Program Files (x86)\BkavHome\SkinResource.dll

Filesize
10.1MB

MD5
b88902b6aa96f8ecf7df82e4eeb739a6

SHA1
ccb958b5c114e4c0ac4ebe18891e9ad59fb6f44f

SHA256
d9f7f807c3626b79a770028205ad0415f0d90d6713327a9062fb52cc05fa171b

SHA512
a8705aa153e62b86f7842e7ad704088069285cec4be22cc2de2353ae9ee51e344a6c29643199c3ce7f1bf415170e1e93617872697cfcbb4316096e79dedcbc29

Download Submit
C:\Program Files (x86)\BkavHome\WP\OrderTabVn.htm

Filesize
1KB

MD5
c9f00828ac789e7f484f6cd1d70373f0

SHA1
1ccfbaa1d4dfecb1c59218a6cdc01da90e3717be

SHA256
a19b6b8fc114f1cb1ab4b121eaf147e4472870d95411ffc6ce4dfc9ea8c297fd

SHA512
4e735c01028bc1860120de82c392b7bb86720c3b104b9d69fd567f6bf97498945305a45ea22260cd4262a3f42d9bb4172169f03c52e70299d101fd26b5bcdb27

Download Submit
C:\Windows\SysWOW64\BkavService.exe

Filesize
284KB

MD5
a8aa6cb54ef95f2dadf337b5df8def2c

SHA1
33a6be4c5d59289a5d4c102c6323785aecc9b456

SHA256
3df3ae1cbec5f24ed8f73310fd8c9d6992e21e15804ddfc79d41e7fec0826a5f

SHA512
6ebf133f6e0528655bc05ec05ecfcd2862f52655ca55cbe3b228407edd8512915728a18a0b54fbb61ea6ade79ab568d9836dbdc172bc69ac7e90fbcbca769812

Download Submit
memory/3492-237-0x0000000002F70000-0x0000000003724000-memory.dmp

Filesize
7.7MB

Download
memory/3492-224-0x00000000020B0000-0x00000000020CD000-memory.dmp

Filesize
116KB

Download
memory/3492-246-0x0000000003730000-0x000000000413E000-memory.dmp

Filesize
10.1MB

Download
memory/3492-252-0x0000000004140000-0x0000000004A64000-memory.dmp

Filesize
9.1MB

Download
memory/3492-258-0x0000000004BC0000-0x00000000050CC000-memory.dmp

Filesize
5.0MB

Download
memory/3492-214-0x0000000001F80000-0x0000000001FC2000-memory.dmp

Filesize
264KB

Download
memory/3492-219-0x0000000001FD0000-0x00000000020AD000-memory.dmp

Filesize
884KB

Download
memory/3492-513-0x0000000003530000-0x0000000003CE4000-memory.dmp

Filesize
7.7MB

Download
memory/3492-515-0x0000000003CF0000-0x00000000046FE000-memory.dmp

Filesize
10.1MB

Download
memory/3492-516-0x0000000004700000-0x0000000005024000-memory.dmp

Filesize
9.1MB

Download
memory/3492-520-0x0000000005030000-0x000000000553C000-memory.dmp

Filesize
5.0MB

Download