aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea

Analysis

max time kernel
69s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
Size

1008KB
MD5

8d17b6f739b852720928542609534f25
SHA1

ba078a4a2adc7766e94d36b53c2d1082b4e21be3
SHA256

aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea
SHA512

74cdb18a02f0d31051d1b598677a364106a1d0d07ba5db6dd4a019dc6af9df919307eb9a9c8be8c4945adf3cf458b07b501ce7c63fc396fb9a04b3ff3104607b

Score

10^/10

bootkit discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuPropExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuPropExt\ = "{903D855A-D671-4A8E-A592-9168755917DB}"	regsvr32.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Downloads MZ/PE file

Executes dropped EXE 30 IoCs

Processes:

kuaizip_setup_2974234250_xiuqi_001.exeheinote_2974234250_xiuqi_001.exehnote.exehnote.exeupdateservice.exenotepaper.exeupdateservice.exeKuaiZip.exeReport.exeKuaiZip.exeKZReport.exehnote.exeskinbox.exeskinbox.exeskinbox.exeskinbox.exeskinbox.exefeedback.exefeedback.exefeedback.exefeedback.exefeedback.exereadmode.exereadmode.exereadmode.exereadmode.exereadmode.exeupgrade.exeReport.exeUpdate.exe

pid	process
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
588	hnote.exe
320	hnote.exe
284	updateservice.exe
768	notepaper.exe
1872	updateservice.exe
1732	KuaiZip.exe
900	Report.exe
1868	KuaiZip.exe
364	KZReport.exe
1600	hnote.exe
1548	skinbox.exe
1964	skinbox.exe
1772	skinbox.exe
1884	skinbox.exe
1080	skinbox.exe
820	feedback.exe
1348	feedback.exe
2056	feedback.exe
2080	feedback.exe
2096	feedback.exe
2136	readmode.exe
2172	readmode.exe
2200	readmode.exe
2224	readmode.exe
2256	readmode.exe
2276	upgrade.exe
2312	Report.exe
2336	Update.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 50 IoCs

Processes:

aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exekuaizip_setup_2974234250_xiuqi_001.exeheinote_2974234250_xiuqi_001.exehnote.exehnote.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exesvchost.exenotepaper.exeKuaiZip.exesvchost.exeKuaiZip.exeupdateservice.exe

pid	process
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1416	regsvr32.exe
1824	regsvr32.exe
1600	regsvr32.exe
1580	regsvr32.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1272
1272
1272
1272
1272
1272
1272
1272
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
588	hnote.exe
320	hnote.exe
772	regsvr32.exe
1520	regsvr32.exe
976	regsvr32.exe
1416	regsvr32.exe
1740	heinote_2974234250_xiuqi_001.exe
904	svchost.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
768	notepaper.exe
1272
1272
1272
1272
1732	KuaiZip.exe
1740	heinote_2974234250_xiuqi_001.exe
1732	KuaiZip.exe
1732	KuaiZip.exe
1392	svchost.exe
1868	KuaiZip.exe
1868	KuaiZip.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1872	updateservice.exe
1872	updateservice.exe
1872	updateservice.exe
1872	updateservice.exe
1872	updateservice.exe
1872	updateservice.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

kuaizip_setup_2974234250_xiuqi_001.exeheinote_2974234250_xiuqi_001.exeReport.exeKZReport.exeUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	kuaizip_setup_2974234250_xiuqi_001.exe
File opened for modification	\??\PhysicalDrive0	heinote_2974234250_xiuqi_001.exe
File opened for modification	\??\PhysicalDrive0	Report.exe
File opened for modification	\??\PhysicalDrive0	KZReport.exe
File opened for modification	\??\PhysicalDrive0	Update.exe

Drops file in Windows directory 1 IoCs

Processes:

kuaizip_setup_2974234250_xiuqi_001.exe

description ioc process

File created C:\Windows\Tasks\KuaiZip_Update.job kuaizip_setup_2974234250_xiuqi_001.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\KuaiZip_Update.job	kuaizip_setup_2974234250_xiuqi_001.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\software\Heinote\report	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Heinote	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Heinote\report	svchost.exe

Modifies registry class 64 IoCs

Processes:

KuaiZip.exeregsvr32.exeregsvr32.exeregsvr32.exehnote.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.097\ = "Kuaizip.097"	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\KZPropertyExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F0E55AF-FD4C-4DA2-909C-5DB8A86B1E70}\ = "IKzShlobj"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.027	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.033\DefaultIcon	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.043\ = "Kuaizip.043"	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.02	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.013\	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.068\Shell\Open\Command	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.089\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe\" \"%1\""	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.082	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\快压\\X64"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F02B30F0-7D50-4437-85E1-55B599290C71}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.z\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe\" \"%1\""	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.001\ = "Kuaizip.001"	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.016\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe,0"	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.07	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.034\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe\" \"%1\""	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.036\	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.048\	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.092\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe,0"	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.082\	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.084\	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.092\Shell\Open\Command	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.gzip\	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.04\Shell\Open\Command	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.027\Shell	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.074\Shell\Open	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.097\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe\" \"%1\""	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.098\Shell\Open	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.03	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.030\Shell\Open	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.049\	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.092	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.095\Shell	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.098	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.PropertyExt.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F0E55AF-FD4C-4DA2-909C-5DB8A86B1E70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.zip\Shell\Open	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.7z\Shell\Open	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.054\	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.006\Shell	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.042\DefaultIcon	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.057\Shell\Open	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.092\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe\" \"%1\""	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.035	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.041\ = "Kuaizip.041"	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8FD7413-FFDD-40CF-B964-DD7E9E197C51}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.tgz\Shell	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.tbz\	KuaiZip.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.003	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.032	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.068\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe,0"	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.068\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe\" \"%1\""	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.093	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Heinote.txt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Heinote\\hnote.exe,0"	hnote.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Heinote.txt\shell	hnote.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.tgz\Shell\Open	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.08\ = "Kuaizip.08"	KuaiZip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.028\Shell\Open	KuaiZip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Kuaizip.048\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe\" \"%1\""	KuaiZip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kuaizip.053\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\快压\\X86\\KuaiZip.exe,0"	KuaiZip.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

980 regedit.exe

pid	process
980	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exekuaizip_setup_2974234250_xiuqi_001.exeheinote_2974234250_xiuqi_001.exeregsvr32.exeregsvr32.exehnote.exehnote.exeregsvr32.exeregsvr32.exesvchost.exeupdateservice.exeupdateservice.exe

pid	process
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
1740	heinote_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1692	kuaizip_setup_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1824	regsvr32.exe
1824	regsvr32.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
1580	regsvr32.exe
1580	regsvr32.exe
588	hnote.exe
588	hnote.exe
320	hnote.exe
320	hnote.exe
1520	regsvr32.exe
1520	regsvr32.exe
1416	regsvr32.exe
1416	regsvr32.exe
1740	heinote_2974234250_xiuqi_001.exe
1740	heinote_2974234250_xiuqi_001.exe
904	svchost.exe
904	svchost.exe
284	updateservice.exe
284	updateservice.exe
1872	updateservice.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

KZReport.exe

description pid process

Token: SeDebugPrivilege 364 KZReport.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	364	KZReport.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exekuaizip_setup_2974234250_xiuqi_001.exeregsvr32.exeregsvr32.exeheinote_2974234250_xiuqi_001.exe

description	pid	process	target process
PID 1180 wrote to memory of 1692	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	kuaizip_setup_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1692	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	kuaizip_setup_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1692	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	kuaizip_setup_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1692	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	kuaizip_setup_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1692	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	kuaizip_setup_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1692	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	kuaizip_setup_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1692	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	kuaizip_setup_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1740	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	heinote_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1740	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	heinote_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1740	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	heinote_2974234250_xiuqi_001.exe
PID 1180 wrote to memory of 1740	1180	aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe	heinote_2974234250_xiuqi_001.exe
PID 1692 wrote to memory of 1548	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1548	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1548	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1548	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1548	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1548	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1548	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1316	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1316	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1316	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1316	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1316	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1316	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1316	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1516	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1516	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1516	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1516	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1516	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1516	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1516	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1416	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1416	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1416	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1416	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1416	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1416	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1416	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1416 wrote to memory of 1824	1416	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 1824	1416	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 1824	1416	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 1824	1416	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 1824	1416	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 1824	1416	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 1824	1416	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1600	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1600	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1600	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1600	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1600	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1600	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1692 wrote to memory of 1600	1692	kuaizip_setup_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1600 wrote to memory of 1580	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1580	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1580	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1580	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1580	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1580	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1580	1600	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 1772	1740	heinote_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1740 wrote to memory of 1772	1740	heinote_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1740 wrote to memory of 1772	1740	heinote_2974234250_xiuqi_001.exe	regsvr32.exe
PID 1740 wrote to memory of 1772	1740	heinote_2974234250_xiuqi_001.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe
"C:\Users\Admin\AppData\Local\Temp\aeba954a9b3afa58807aad0b266745c8bad637ac2cfedf3cfb4f11745ad85fea.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\kuaizip_setup_2974234250_xiuqi_001.exe
"C:\Users\Admin\AppData\Local\Temp\kuaizip_setup_2974234250_xiuqi_001.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll
3⤵
PID:1548

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll
3⤵
PID:1316

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\快压\X86\kuaizipUpdateChecker.dll
3⤵
PID:1516

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll
4⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll
4⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe
"C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe" -instsvr
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe
"C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe" -AssociateAll
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1868

C:\Users\Admin\AppData\Roaming\快压\X86\KZReport.exe
"C:\Users\Admin\AppData\Roaming\快压\X86\KZReport.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Users\Admin\AppData\Local\Temp\heinote_2974234250_xiuqi_001.exe
"C:\Users\Admin\AppData\Local\Temp\heinote_2974234250_xiuqi_001.exe" -wjm
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll
3⤵
PID:1772

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll
3⤵
PID:904

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\Heinote\hnchecker.dll
3⤵
PID:1764

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\Heinote\UserChoise.reg
3⤵
PID:112

C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe
"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -install
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Heinote\UserChoise.reg"
4⤵
- Runs .reg file with regedit
PID:980

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll
3⤵
- Loads dropped DLL
PID:772

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe
"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -schedule
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll
3⤵
- Loads dropped DLL
PID:976

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Users\Admin\AppData\Roaming\Heinote\updateservice.exe
"C:\Users\Admin\AppData\Roaming\Heinote\updateservice.exe" -install
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:284

C:\Users\Admin\AppData\Roaming\Heinote\notepaper.exe
"C:\Users\Admin\AppData\Roaming\Heinote\notepaper.exe" -install
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768

C:\Users\Admin\AppData\Roaming\Heinote\Report.exe
"C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:900

C:\Users\Admin\AppData\Local\Temp\qqgj.exe
"C:\Users\Admin\AppData\Local\Temp\qqgj.exe"
2⤵
PID:3060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k HEINOTEUPDATE
1⤵
PID:1712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k HEINOTEUPDATE
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\users\admin\appdata\roaming\heinote\hnote.exe
"C:\users\admin\appdata\roaming\heinote\hnote.exe" -fix
2⤵
PID:2580

C:\users\admin\appdata\roaming\heinote\hnote.exe
"C:\users\admin\appdata\roaming\heinote\hnote.exe" -fix
3⤵
PID:2636

\??\c:\users\admin\appdata\roaming\heinote\skinbox.exe
c:\users\admin\appdata\roaming\heinote\skinbox.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
2⤵
PID:2604

\??\c:\users\admin\appdata\roaming\heinote\skinbox.exe
c:\users\admin\appdata\roaming\heinote\skinbox.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
PID:2620

\??\c:\users\admin\appdata\roaming\heinote\skinbox.exe
c:\users\admin\appdata\roaming\heinote\skinbox.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
PID:2656

\??\c:\users\admin\appdata\roaming\heinote\skinbox.exe
c:\users\admin\appdata\roaming\heinote\skinbox.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
2⤵
PID:2712

\??\c:\users\admin\appdata\roaming\heinote\skinbox.exe
c:\users\admin\appdata\roaming\heinote\skinbox.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
2⤵
PID:2692

\??\c:\users\admin\appdata\roaming\heinote\feedback.exe
c:\users\admin\appdata\roaming\heinote\feedback.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
2⤵
PID:2724

\??\c:\users\admin\appdata\roaming\heinote\feedback.exe
c:\users\admin\appdata\roaming\heinote\feedback.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
PID:2748

\??\c:\users\admin\appdata\roaming\heinote\feedback.exe
c:\users\admin\appdata\roaming\heinote\feedback.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
PID:2764

\??\c:\users\admin\appdata\roaming\heinote\feedback.exe
c:\users\admin\appdata\roaming\heinote\feedback.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
2⤵
PID:2788

\??\c:\users\admin\appdata\roaming\heinote\feedback.exe
c:\users\admin\appdata\roaming\heinote\feedback.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
2⤵
PID:2812

\??\c:\users\admin\appdata\roaming\heinote\readmode.exe
c:\users\admin\appdata\roaming\heinote\readmode.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
2⤵
PID:2832

\??\c:\users\admin\appdata\roaming\heinote\readmode.exe
c:\users\admin\appdata\roaming\heinote\readmode.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
PID:2860

\??\c:\users\admin\appdata\roaming\heinote\readmode.exe
c:\users\admin\appdata\roaming\heinote\readmode.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
PID:2896

\??\c:\users\admin\appdata\roaming\heinote\readmode.exe
c:\users\admin\appdata\roaming\heinote\readmode.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
2⤵
PID:2912

\??\c:\users\admin\appdata\roaming\heinote\readmode.exe
c:\users\admin\appdata\roaming\heinote\readmode.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
2⤵
PID:2948

\??\c:\users\admin\appdata\roaming\heinote\upgrade.exe
c:\users\admin\appdata\roaming\heinote\upgrade.exe -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=
2⤵
PID:2960

\??\c:\users\admin\appdata\roaming\heinote\Report.exe
c:\users\admin\appdata\roaming\heinote\Report.exe -param=dfCYNNpba0T2g3DwxQ==
2⤵
PID:2996

\??\c:\users\admin\appdata\roaming\heinote\Update.exe
c:\users\admin\appdata\roaming\heinote\Update.exe -param=dfCYNNpbbFHijXbhxQ==
2⤵
PID:3016

C:\Users\Admin\AppData\Roaming\Heinote\updateservice.exe
C:\Users\Admin\AppData\Roaming\Heinote\updateservice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe
"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -fix
2⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
2⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
2⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
2⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
2⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
2⤵
- Executes dropped EXE
PID:2080

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
2⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
2⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
- Executes dropped EXE
PID:2200

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
2⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
2⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
2⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe
C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=
2⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Roaming\Heinote\Report.exe
C:\Users\Admin\AppData\Roaming\Heinote\Report.exe -param=dfCYNNpba0T2g3DwxQ==
2⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\AppData\Roaming\Heinote\Update.exe
C:\Users\Admin\AppData\Roaming\Heinote\Update.exe -param=dfCYNNpbbFHijXbhxQ==
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2336

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc
1⤵
PID:436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc
1⤵
- Loads dropped DLL
PID:1392

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:2152

C:\Users\Admin\AppData\Roaming\Heinote\Update.exe
"C:\Users\Admin\AppData\Roaming\Heinote\Update.exe" -param=dfCYNNpbbFHijXbhxQ==
1⤵
PID:2088

C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe
"C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe" -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=
1⤵
PID:2080

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
1⤵
PID:2160

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
1⤵
PID:2056

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:284

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
1⤵
PID:2128

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
1⤵
PID:1348

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
1⤵
PID:2120

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:820

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:872

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
1⤵
PID:2108

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
1⤵
PID:2092

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
1⤵
PID:1884

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:1868

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:1080

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
1⤵
PID:1548

C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe
"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -assoc
1⤵
PID:2064

C:\Users\Admin\AppData\Roaming\Heinote\Update.exe
"C:\Users\Admin\AppData\Roaming\Heinote\Update.exe" -param=dfCYNNpbbFHijXbhxQ==
1⤵
PID:2028

C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe
"C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe" -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=
1⤵
PID:2372

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
1⤵
PID:2328

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
1⤵
PID:2344

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:576

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:1668

C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe
"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
1⤵
PID:848

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
1⤵
PID:2348

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
1⤵
PID:2320

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:2316

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:2260

C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe
"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
1⤵
PID:2300

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy
1⤵
PID:2264

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh
1⤵
PID:2296

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:2276

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=
1⤵
PID:2284

C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe
"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA
1⤵
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\heinote_2974234250_xiuqi_001.exe
Filesize
12.3MB

MD5
f00199abb106a3f4aa90466463e81686

SHA1
9b0c1d8026e421566e76e8e83cb02962c968d951

SHA256
b3534c890202792e1d45a81704bbbe8337198f841ef6fc7e5b32e84369a51270

SHA512
0f14a96e79a52123f5d25cf4b39be8b2ff35592da3656bd2c502d47ac21576048ea9c8e2b429042186f2664115b6deb0608f0e41f18a8493ccc448afc4a33dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\heinote_2974234250_xiuqi_001.exe
Filesize
12.3MB

MD5
f00199abb106a3f4aa90466463e81686

SHA1
9b0c1d8026e421566e76e8e83cb02962c968d951

SHA256
b3534c890202792e1d45a81704bbbe8337198f841ef6fc7e5b32e84369a51270

SHA512
0f14a96e79a52123f5d25cf4b39be8b2ff35592da3656bd2c502d47ac21576048ea9c8e2b429042186f2664115b6deb0608f0e41f18a8493ccc448afc4a33dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuaizip_setup_2974234250_xiuqi_001.exe
Filesize
12.9MB

MD5
4f107adde5f4224d15715f2f5354eaac

SHA1
3265bf068247632631886fc5b0e72b2bf784d495

SHA256
6bbbbbfbfc6f169898d7526657baa68c8f354cdb4a27cb2f40635c7d5ea3d4a7

SHA512
a8f1e53c2d73cd504380a00b2999c41f6b585f5f762d8087d85502b56b512e57c27cf9c0ff7b696f183c56b3c3babb6efdb641727732b89c88ea77707b330ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuaizip_setup_2974234250_xiuqi_001.exe
Filesize
12.9MB

MD5
4f107adde5f4224d15715f2f5354eaac

SHA1
3265bf068247632631886fc5b0e72b2bf784d495

SHA256
6bbbbbfbfc6f169898d7526657baa68c8f354cdb4a27cb2f40635c7d5ea3d4a7

SHA512
a8f1e53c2d73cd504380a00b2999c41f6b585f5f762d8087d85502b56b512e57c27cf9c0ff7b696f183c56b3c3babb6efdb641727732b89c88ea77707b330ead

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\DuiLib.dll
Filesize
863KB

MD5
9b7f2fa89fefbe91dca59d0a6cd98f31

SHA1
585f84a775ffae5c0722f544e19523f63ed86675

SHA256
f50e5bd24085f81a5d26ea1956391d452bdf33fcdc267896ef96e9d8e3c2f9b8

SHA512
45f2d88f1c04b7b73fcc328cb443a5729603776739ea18e16426839152e39be336f37f52e63300c339456f90f03b9d9a22d68b48b9a56721f2cf37445cf2b965

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll
Filesize
1.9MB

MD5
e5e686d67dda77cebc972f3b8abb3134

SHA1
02d57970a0e3e31d804137e0ae8fcc2d3c063572

SHA256
1c90302eeb89e758e8da7d3fff1b3a4b346ac104884fa3ffe6ccb29a940d69cc

SHA512
15a4c3d3d7f9561c74219f70f681dae83a2e5e57e3de6dda4095b0ebbda3050d2ff513ca0d6b77b2eeff9cc2f1001f2b06a53cb93e8a4ef6ec65b181926f9625

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll
Filesize
1.8MB

MD5
e23be304bc870b7fd8b8d596b0b64627

SHA1
617fc606f7e12c109e8ae0fc71e294e6d18c3051

SHA256
4a02a7155fc9d570eb46850ff69bc1705ffbf4ab2cad0b6728539ee4f64c0373

SHA512
a9dc7027a0bd542318767d9b9bbb0ce1f264fcee515368a9f0ed2a45458b972fec07ad25ea355b8863cdeef7d16352482dcebc71e6de6a7ca1a33c3d69f3f2ea

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\Heinote.ini
Filesize
24KB

MD5
8ca6610a490d2052aaf02c840c4c0ec8

SHA1
4a097d063f588e930f049976571c1082f3939308

SHA256
97c54aa50d19ed22262ba19c947327b3e403e5440253b5a1152f8a0f47f8cd99

SHA512
dfbe49d6171215e89f81ad713c6067922c06f8e67ae930ff965fab1fcc4a3492a6d15a1cb93ba65b74149aea2dbc3aff042b8d46dbb294e5cec635be09edbaab

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\Report.exe
Filesize
1.3MB

MD5
6c1c1a345190285feef0af68cbd7b460

SHA1
f6518cab867588812a6d25721a437d95c16b3e9c

SHA256
3d5df248f910d765f909e8bcd88575d26230645532149cbc2fb607be7d082bba

SHA512
eba5c504ef175dad183877ea788ee79ed4521715319c6aeba6b4594acf79763bfa74df0dc2d0f7d6cb5896fb20248285ea6534a19bea75fd54871ecb44924062

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\UserChoise.reg
Filesize
13KB

MD5
621e7434b6902b388e990d4757c98273

SHA1
ca556b27ff3cd31673578086985142e68488ac6c

SHA256
7153ef18f878846f7f0069170d1cae6b2f56b591794f7e62834441d21e3ee760

SHA512
0cb8c37b446fbfce8aa27c56f51b2414aa73c1e64e32dc2cbc5cfe017bf5d324d4ad75e60370561d0bbb688563743e924f75dc406b97c7d4ef8bc37aa1f45d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe
Filesize
6.7MB

MD5
b96fecbe32592e5248557c45a394c30c

SHA1
79c38e410b015e899a7d0b9661e06005af120abc

SHA256
eb6e19584fea22aaa59218e94c9156f2728d8b25eeb061f9062c42705992fac3

SHA512
f2e4851158b03d3e3e1263d326ccb43f6ba121a37cbf6df42a8f54f9a4f336449902dbf576a8d3308bc3f160bbce7d3af9d94ef4951ebd0e954500830ac6f8af

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe
Filesize
6.7MB

MD5
b96fecbe32592e5248557c45a394c30c

SHA1
79c38e410b015e899a7d0b9661e06005af120abc

SHA256
eb6e19584fea22aaa59218e94c9156f2728d8b25eeb061f9062c42705992fac3

SHA512
f2e4851158b03d3e3e1263d326ccb43f6ba121a37cbf6df42a8f54f9a4f336449902dbf576a8d3308bc3f160bbce7d3af9d94ef4951ebd0e954500830ac6f8af

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\notepaper.exe
Filesize
3.6MB

MD5
72b85a1b360a95ad3ba048d7591ef9ce

SHA1
6e03550dff0f9fb71407cb45909b74f7286fc648

SHA256
f1190e38febfebb478ab5604303719a3362859b4f5f314e3767347b2839372b9

SHA512
958cac2b3f3e23ea445cf8fa786b5b2e2414dd6efb1fe69dfdff169183ddaaccd2f2af8cd2e79775f2c8c35c9e9b33dcb47572c9a09c1c99aa4d92ca1de67fec

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\updateservice.exe
Filesize
1.1MB

MD5
1f607bef859fc9202d44af91b3557421

SHA1
424b86fa7ea5f3376c221c4f46cefc0f80554e4a

SHA256
5df56f216da9d9e2eaf2a3cc6604051676820290fda5bf26baea9b7fae50e40a

SHA512
50f0770a3bd8e1934e709c3a8bd763809602b36387a534fee7e2caa645d4e780205b12a94f2ee64e01820649911d50a87be6343dc729071f505381b3a03d0429

Download Submit
C:\Users\Admin\AppData\Roaming\Heinote\updateservice.exe
Filesize
1.1MB

MD5
1f607bef859fc9202d44af91b3557421

SHA1
424b86fa7ea5f3376c221c4f46cefc0f80554e4a

SHA256
5df56f216da9d9e2eaf2a3cc6604051676820290fda5bf26baea9b7fae50e40a

SHA512
50f0770a3bd8e1934e709c3a8bd763809602b36387a534fee7e2caa645d4e780205b12a94f2ee64e01820649911d50a87be6343dc729071f505381b3a03d0429

Download Submit
C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll
Filesize
1.8MB

MD5
856adf37fbfe308b277d70f61b1648bd

SHA1
46ae3c502ed79f6de30b46248ad9a0b4bb75b494

SHA256
ada78735527cff0e0110cf43cc7e58793aeb18138ba1d50f5aafef0f5d1a2ada

SHA512
04d9047962f8d8c1510ddf73ad6b57a4686f83700222cff76eb0842adeaaf018e909e339963f7476dab5ee1c62f50e8c1fd6bbaec3aca9928a7fe9ea16b804f5

Download Submit
C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll
Filesize
1.9MB

MD5
70d0ab551e7d888fb091ad0c48c53406

SHA1
486cd118b5c9d96022b139518039d7f60c19f7f6

SHA256
1c0991869791cbc4fb02ca5ce0214b5e4cdfbcebf50458ee3fdb3c133a5b7a07

SHA512
a9eff9b6458aa9a7fd32ff35077050145a1ca0a13f485bd8b486be6c8c475b5b1c793b9adbfbc6946aaf9d57f8393425bcc7987ffdb509deae5e1fa901ac103e

Download Submit
C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe
Filesize
5.1MB

MD5
9fddde7dbea9646c6fab0eb4f1a158f0

SHA1
f8c0c8c77c24f23f618af0daf6e0ad089ef36d73

SHA256
1dab58d5ca875ef0bbe2c01d35133f071745c67b15ecc0a21edfd3062e09afcc

SHA512
74e80e8b181fd78505a0a0fbe62e6c4a786b62c844a7f11e122a078e88cf3cc14f8a36968daf9aec5e06ca022cf97bf243df2fa637223b1f3ee967a7963956f7

Download Submit
C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe
Filesize
5.1MB

MD5
9fddde7dbea9646c6fab0eb4f1a158f0

SHA1
f8c0c8c77c24f23f618af0daf6e0ad089ef36d73

SHA256
1dab58d5ca875ef0bbe2c01d35133f071745c67b15ecc0a21edfd3062e09afcc

SHA512
74e80e8b181fd78505a0a0fbe62e6c4a786b62c844a7f11e122a078e88cf3cc14f8a36968daf9aec5e06ca022cf97bf243df2fa637223b1f3ee967a7963956f7

Download Submit
C:\Users\Admin\AppData\Roaming\快压\X86\Lang\Chs_Lang.dll
Filesize
226KB

MD5
d80f27a8f2aa43083c729b18bf3e05f6

SHA1
6e24c81f27df9f01a44c1cb5b1bd8388d473e91c

SHA256
7adc023ec24a03a13e7dc7872ce5ca8e02d045712abc539d79abd6fd9ee3872e

SHA512
4ae2abaffc4077193854a5f992d3ab556a87ff4e386b3e2eeaf43b0e162dd8a0d8acf99c2f8e68c257969614ae83c49d17824dbb667cd6a972f887d0e0feb0b1

Download Submit
C:\Users\Admin\AppData\Roaming\快压\X86\duilib.dll
Filesize
585KB

MD5
79a1ec25267a3471566212ad6738a299

SHA1
9f16ae130766490204324ece02f6b56930643b47

SHA256
8a5334f329442d8b6e19a22c444e6170ddc8c2fe520f696bbd59ec72baa445ee

SHA512
f6f492b3a4cc3cc67b713ba517d34012f45a58872d68d8e1aed5d93438051a2af2359d3103ea8f465b9f8d9bdcfd8eb9835000ba274f174f232f837beba9216a

Download Submit
C:\Users\Admin\AppData\Roaming\快压\X86\kuaizipUpdateChecker.dll
Filesize
866KB

MD5
c68c2be483451e8a95fbe438f375ef02

SHA1
a5dde5ffdd32dd8992d97c19f49a4bc619215c9b

SHA256
a7ec931e3bf63ed1a55d8b81df45c3d27fa5d249abf204d0e6d853cbafad5723

SHA512
32646e5c85086ef738e267c83cbb3517220d4b02f8592d13c5df4c0b68cc041a3efc84156ce5030bbacabcece12567b0457334c6844ff5832529c2ed069fbee3

Download Submit
\??\c:\users\admin\appdata\roaming\heinote\hnchecker.dll
Filesize
907KB

MD5
94fd3bcfd0ccb1431b3fd6cc03db3803

SHA1
774fe443f72cea2399860b8732cb0caa9501ba21

SHA256
7a0cf5b766519f8bc224ffa04b21d00c0048918f8efde124e83b42b71d942d49

SHA512
2b2a85520c40b3f766a6410d2fb564ce117e4f2a96da49c0314914f036ab614415852518d9fefb36a5efb20eaf29bb0b431885f0f8f2caab628cf09518247f12

Download Submit
\Users\Admin\AppData\Local\Temp\heinote_2974234250_xiuqi_001.exe
Filesize
12.3MB

MD5
f00199abb106a3f4aa90466463e81686

SHA1
9b0c1d8026e421566e76e8e83cb02962c968d951

SHA256
b3534c890202792e1d45a81704bbbe8337198f841ef6fc7e5b32e84369a51270

SHA512
0f14a96e79a52123f5d25cf4b39be8b2ff35592da3656bd2c502d47ac21576048ea9c8e2b429042186f2664115b6deb0608f0e41f18a8493ccc448afc4a33dda

Download Submit
\Users\Admin\AppData\Local\Temp\kuaizip_setup_2974234250_xiuqi_001.exe
Filesize
12.9MB

MD5
4f107adde5f4224d15715f2f5354eaac

SHA1
3265bf068247632631886fc5b0e72b2bf784d495

SHA256
6bbbbbfbfc6f169898d7526657baa68c8f354cdb4a27cb2f40635c7d5ea3d4a7

SHA512
a8f1e53c2d73cd504380a00b2999c41f6b585f5f762d8087d85502b56b512e57c27cf9c0ff7b696f183c56b3c3babb6efdb641727732b89c88ea77707b330ead

Download Submit
\Users\Admin\AppData\Roaming\Heinote\Duilib.dll
Filesize
863KB

MD5
9b7f2fa89fefbe91dca59d0a6cd98f31

SHA1
585f84a775ffae5c0722f544e19523f63ed86675

SHA256
f50e5bd24085f81a5d26ea1956391d452bdf33fcdc267896ef96e9d8e3c2f9b8

SHA512
45f2d88f1c04b7b73fcc328cb443a5729603776739ea18e16426839152e39be336f37f52e63300c339456f90f03b9d9a22d68b48b9a56721f2cf37445cf2b965

Download Submit
\Users\Admin\AppData\Roaming\Heinote\Duilib.dll
Filesize
863KB

MD5
9b7f2fa89fefbe91dca59d0a6cd98f31

SHA1
585f84a775ffae5c0722f544e19523f63ed86675

SHA256
f50e5bd24085f81a5d26ea1956391d452bdf33fcdc267896ef96e9d8e3c2f9b8

SHA512
45f2d88f1c04b7b73fcc328cb443a5729603776739ea18e16426839152e39be336f37f52e63300c339456f90f03b9d9a22d68b48b9a56721f2cf37445cf2b965

Download Submit
\Users\Admin\AppData\Roaming\Heinote\Duilib.dll
Filesize
863KB

MD5
9b7f2fa89fefbe91dca59d0a6cd98f31

SHA1
585f84a775ffae5c0722f544e19523f63ed86675

SHA256
f50e5bd24085f81a5d26ea1956391d452bdf33fcdc267896ef96e9d8e3c2f9b8

SHA512
45f2d88f1c04b7b73fcc328cb443a5729603776739ea18e16426839152e39be336f37f52e63300c339456f90f03b9d9a22d68b48b9a56721f2cf37445cf2b965

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNChecker.dll
Filesize
907KB

MD5
94fd3bcfd0ccb1431b3fd6cc03db3803

SHA1
774fe443f72cea2399860b8732cb0caa9501ba21

SHA256
7a0cf5b766519f8bc224ffa04b21d00c0048918f8efde124e83b42b71d942d49

SHA512
2b2a85520c40b3f766a6410d2fb564ce117e4f2a96da49c0314914f036ab614415852518d9fefb36a5efb20eaf29bb0b431885f0f8f2caab628cf09518247f12

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNChecker.dll
Filesize
907KB

MD5
94fd3bcfd0ccb1431b3fd6cc03db3803

SHA1
774fe443f72cea2399860b8732cb0caa9501ba21

SHA256
7a0cf5b766519f8bc224ffa04b21d00c0048918f8efde124e83b42b71d942d49

SHA512
2b2a85520c40b3f766a6410d2fb564ce117e4f2a96da49c0314914f036ab614415852518d9fefb36a5efb20eaf29bb0b431885f0f8f2caab628cf09518247f12

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll
Filesize
1.9MB

MD5
e5e686d67dda77cebc972f3b8abb3134

SHA1
02d57970a0e3e31d804137e0ae8fcc2d3c063572

SHA256
1c90302eeb89e758e8da7d3fff1b3a4b346ac104884fa3ffe6ccb29a940d69cc

SHA512
15a4c3d3d7f9561c74219f70f681dae83a2e5e57e3de6dda4095b0ebbda3050d2ff513ca0d6b77b2eeff9cc2f1001f2b06a53cb93e8a4ef6ec65b181926f9625

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll
Filesize
1.9MB

MD5
e5e686d67dda77cebc972f3b8abb3134

SHA1
02d57970a0e3e31d804137e0ae8fcc2d3c063572

SHA256
1c90302eeb89e758e8da7d3fff1b3a4b346ac104884fa3ffe6ccb29a940d69cc

SHA512
15a4c3d3d7f9561c74219f70f681dae83a2e5e57e3de6dda4095b0ebbda3050d2ff513ca0d6b77b2eeff9cc2f1001f2b06a53cb93e8a4ef6ec65b181926f9625

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll
Filesize
1.9MB

MD5
e5e686d67dda77cebc972f3b8abb3134

SHA1
02d57970a0e3e31d804137e0ae8fcc2d3c063572

SHA256
1c90302eeb89e758e8da7d3fff1b3a4b346ac104884fa3ffe6ccb29a940d69cc

SHA512
15a4c3d3d7f9561c74219f70f681dae83a2e5e57e3de6dda4095b0ebbda3050d2ff513ca0d6b77b2eeff9cc2f1001f2b06a53cb93e8a4ef6ec65b181926f9625

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll
Filesize
1.8MB

MD5
e23be304bc870b7fd8b8d596b0b64627

SHA1
617fc606f7e12c109e8ae0fc71e294e6d18c3051

SHA256
4a02a7155fc9d570eb46850ff69bc1705ffbf4ab2cad0b6728539ee4f64c0373

SHA512
a9dc7027a0bd542318767d9b9bbb0ce1f264fcee515368a9f0ed2a45458b972fec07ad25ea355b8863cdeef7d16352482dcebc71e6de6a7ca1a33c3d69f3f2ea

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll
Filesize
1.8MB

MD5
e23be304bc870b7fd8b8d596b0b64627

SHA1
617fc606f7e12c109e8ae0fc71e294e6d18c3051

SHA256
4a02a7155fc9d570eb46850ff69bc1705ffbf4ab2cad0b6728539ee4f64c0373

SHA512
a9dc7027a0bd542318767d9b9bbb0ce1f264fcee515368a9f0ed2a45458b972fec07ad25ea355b8863cdeef7d16352482dcebc71e6de6a7ca1a33c3d69f3f2ea

Download Submit
\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll
Filesize
1.8MB

MD5
e23be304bc870b7fd8b8d596b0b64627

SHA1
617fc606f7e12c109e8ae0fc71e294e6d18c3051

SHA256
4a02a7155fc9d570eb46850ff69bc1705ffbf4ab2cad0b6728539ee4f64c0373

SHA512
a9dc7027a0bd542318767d9b9bbb0ce1f264fcee515368a9f0ed2a45458b972fec07ad25ea355b8863cdeef7d16352482dcebc71e6de6a7ca1a33c3d69f3f2ea

Download Submit
\Users\Admin\AppData\Roaming\Heinote\Report.exe
Filesize
1.3MB

MD5
6c1c1a345190285feef0af68cbd7b460

SHA1
f6518cab867588812a6d25721a437d95c16b3e9c

SHA256
3d5df248f910d765f909e8bcd88575d26230645532149cbc2fb607be7d082bba

SHA512
eba5c504ef175dad183877ea788ee79ed4521715319c6aeba6b4594acf79763bfa74df0dc2d0f7d6cb5896fb20248285ea6534a19bea75fd54871ecb44924062

Download Submit
\Users\Admin\AppData\Roaming\Heinote\hnote.exe
Filesize
6.7MB

MD5
b96fecbe32592e5248557c45a394c30c

SHA1
79c38e410b015e899a7d0b9661e06005af120abc

SHA256
eb6e19584fea22aaa59218e94c9156f2728d8b25eeb061f9062c42705992fac3

SHA512
f2e4851158b03d3e3e1263d326ccb43f6ba121a37cbf6df42a8f54f9a4f336449902dbf576a8d3308bc3f160bbce7d3af9d94ef4951ebd0e954500830ac6f8af

Download Submit
\Users\Admin\AppData\Roaming\Heinote\hnote.exe
Filesize
6.7MB

MD5
b96fecbe32592e5248557c45a394c30c

SHA1
79c38e410b015e899a7d0b9661e06005af120abc

SHA256
eb6e19584fea22aaa59218e94c9156f2728d8b25eeb061f9062c42705992fac3

SHA512
f2e4851158b03d3e3e1263d326ccb43f6ba121a37cbf6df42a8f54f9a4f336449902dbf576a8d3308bc3f160bbce7d3af9d94ef4951ebd0e954500830ac6f8af

Download Submit
\Users\Admin\AppData\Roaming\Heinote\hnote.exe
Filesize
6.7MB

MD5
b96fecbe32592e5248557c45a394c30c

SHA1
79c38e410b015e899a7d0b9661e06005af120abc

SHA256
eb6e19584fea22aaa59218e94c9156f2728d8b25eeb061f9062c42705992fac3

SHA512
f2e4851158b03d3e3e1263d326ccb43f6ba121a37cbf6df42a8f54f9a4f336449902dbf576a8d3308bc3f160bbce7d3af9d94ef4951ebd0e954500830ac6f8af

Download Submit
\Users\Admin\AppData\Roaming\Heinote\notepaper.exe
Filesize
3.6MB

MD5
72b85a1b360a95ad3ba048d7591ef9ce

SHA1
6e03550dff0f9fb71407cb45909b74f7286fc648

SHA256
f1190e38febfebb478ab5604303719a3362859b4f5f314e3767347b2839372b9

SHA512
958cac2b3f3e23ea445cf8fa786b5b2e2414dd6efb1fe69dfdff169183ddaaccd2f2af8cd2e79775f2c8c35c9e9b33dcb47572c9a09c1c99aa4d92ca1de67fec

Download Submit
\Users\Admin\AppData\Roaming\Heinote\uninst.exe
Filesize
3.2MB

MD5
69a6a74e62ff28cee063a0705480938d

SHA1
13eee8e5fa66706acb6a691384c1aa6024f492e5

SHA256
ba041ce237c7db304320913bdf70d1ac594b05785c7b6f0e7101544a71c21b3c

SHA512
236bfd6edf46e7e777d32b61a1cfd20efa26a633fca17fcd86b5fb8966ddd182f86bc7d33fa6e505041d6a0af320405480a2b82b746865f796234f21be9b0f22

Download Submit
\Users\Admin\AppData\Roaming\Heinote\updateservice.exe
Filesize
1.1MB

MD5
1f607bef859fc9202d44af91b3557421

SHA1
424b86fa7ea5f3376c221c4f46cefc0f80554e4a

SHA256
5df56f216da9d9e2eaf2a3cc6604051676820290fda5bf26baea9b7fae50e40a

SHA512
50f0770a3bd8e1934e709c3a8bd763809602b36387a534fee7e2caa645d4e780205b12a94f2ee64e01820649911d50a87be6343dc729071f505381b3a03d0429

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KZFormat.dll
Filesize
546KB

MD5
65438a29f353a00fe17dd7e35af07888

SHA1
46ec785c3b801264ceefb3448cdb3fb358c73f7d

SHA256
b4a9514658268f5846db1e4b17b4f96f2b2df2faac1dcbf4b09c1f5e2d2b7ac8

SHA512
d556ba5bfedd28f10de666a9e2219aa4d87d23badf898bfd5131b20717140366478d6421ae105c9c2c0c9253d93f1fa491f36ff18fd3c09f42f3a08c915f6571

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KZFormat.dll
Filesize
546KB

MD5
65438a29f353a00fe17dd7e35af07888

SHA1
46ec785c3b801264ceefb3448cdb3fb358c73f7d

SHA256
b4a9514658268f5846db1e4b17b4f96f2b2df2faac1dcbf4b09c1f5e2d2b7ac8

SHA512
d556ba5bfedd28f10de666a9e2219aa4d87d23badf898bfd5131b20717140366478d6421ae105c9c2c0c9253d93f1fa491f36ff18fd3c09f42f3a08c915f6571

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KZModule.dll
Filesize
994KB

MD5
371351c7ebda07df55dd2fbb097e00cd

SHA1
4dbf0e67a9eea539102b90e44009c34a4962b8ff

SHA256
8be05372b9d6f4cc388f7041bf6242b24642fa6821f3e8210bd50573574dc107

SHA512
10c5945fa87b46f18f810e12ee3983d98624621cbcb07e3a07cc4d4d5a63d59eab9387879a9e1f0fb0e6914bd9f043c7c2074b05e81255fdd0afa5166dbe3a50

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KZModule.dll
Filesize
994KB

MD5
371351c7ebda07df55dd2fbb097e00cd

SHA1
4dbf0e67a9eea539102b90e44009c34a4962b8ff

SHA256
8be05372b9d6f4cc388f7041bf6242b24642fa6821f3e8210bd50573574dc107

SHA512
10c5945fa87b46f18f810e12ee3983d98624621cbcb07e3a07cc4d4d5a63d59eab9387879a9e1f0fb0e6914bd9f043c7c2074b05e81255fdd0afa5166dbe3a50

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll
Filesize
1.8MB

MD5
856adf37fbfe308b277d70f61b1648bd

SHA1
46ae3c502ed79f6de30b46248ad9a0b4bb75b494

SHA256
ada78735527cff0e0110cf43cc7e58793aeb18138ba1d50f5aafef0f5d1a2ada

SHA512
04d9047962f8d8c1510ddf73ad6b57a4686f83700222cff76eb0842adeaaf018e909e339963f7476dab5ee1c62f50e8c1fd6bbaec3aca9928a7fe9ea16b804f5

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll
Filesize
1.8MB

MD5
856adf37fbfe308b277d70f61b1648bd

SHA1
46ae3c502ed79f6de30b46248ad9a0b4bb75b494

SHA256
ada78735527cff0e0110cf43cc7e58793aeb18138ba1d50f5aafef0f5d1a2ada

SHA512
04d9047962f8d8c1510ddf73ad6b57a4686f83700222cff76eb0842adeaaf018e909e339963f7476dab5ee1c62f50e8c1fd6bbaec3aca9928a7fe9ea16b804f5

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll
Filesize
1.8MB

MD5
856adf37fbfe308b277d70f61b1648bd

SHA1
46ae3c502ed79f6de30b46248ad9a0b4bb75b494

SHA256
ada78735527cff0e0110cf43cc7e58793aeb18138ba1d50f5aafef0f5d1a2ada

SHA512
04d9047962f8d8c1510ddf73ad6b57a4686f83700222cff76eb0842adeaaf018e909e339963f7476dab5ee1c62f50e8c1fd6bbaec3aca9928a7fe9ea16b804f5

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll
Filesize
1.9MB

MD5
70d0ab551e7d888fb091ad0c48c53406

SHA1
486cd118b5c9d96022b139518039d7f60c19f7f6

SHA256
1c0991869791cbc4fb02ca5ce0214b5e4cdfbcebf50458ee3fdb3c133a5b7a07

SHA512
a9eff9b6458aa9a7fd32ff35077050145a1ca0a13f485bd8b486be6c8c475b5b1c793b9adbfbc6946aaf9d57f8393425bcc7987ffdb509deae5e1fa901ac103e

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll
Filesize
1.9MB

MD5
70d0ab551e7d888fb091ad0c48c53406

SHA1
486cd118b5c9d96022b139518039d7f60c19f7f6

SHA256
1c0991869791cbc4fb02ca5ce0214b5e4cdfbcebf50458ee3fdb3c133a5b7a07

SHA512
a9eff9b6458aa9a7fd32ff35077050145a1ca0a13f485bd8b486be6c8c475b5b1c793b9adbfbc6946aaf9d57f8393425bcc7987ffdb509deae5e1fa901ac103e

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll
Filesize
1.9MB

MD5
70d0ab551e7d888fb091ad0c48c53406

SHA1
486cd118b5c9d96022b139518039d7f60c19f7f6

SHA256
1c0991869791cbc4fb02ca5ce0214b5e4cdfbcebf50458ee3fdb3c133a5b7a07

SHA512
a9eff9b6458aa9a7fd32ff35077050145a1ca0a13f485bd8b486be6c8c475b5b1c793b9adbfbc6946aaf9d57f8393425bcc7987ffdb509deae5e1fa901ac103e

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\lang\Chs_Lang.dll
Filesize
234KB

MD5
5e0643eb89d28d91cc67b60e2b910c04

SHA1
eedf224ae0ca28e5cd401b7c0ab772b257587d01

SHA256
a3d21dd220443f7badfc694ce91d5798904a76471b7f6a5b756c99a2e8354f3a

SHA512
573444c062a111a2bf213afcebcee63e2eb252a6d39c6c9f5ab344c58fe753b9abe527e67bc6678d43bef7d1bc5d5fa3dfdb32e7e7d59a8e4b9012d14085b2df

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\lang\Chs_Lang.dll
Filesize
234KB

MD5
5e0643eb89d28d91cc67b60e2b910c04

SHA1
eedf224ae0ca28e5cd401b7c0ab772b257587d01

SHA256
a3d21dd220443f7badfc694ce91d5798904a76471b7f6a5b756c99a2e8354f3a

SHA512
573444c062a111a2bf213afcebcee63e2eb252a6d39c6c9f5ab344c58fe753b9abe527e67bc6678d43bef7d1bc5d5fa3dfdb32e7e7d59a8e4b9012d14085b2df

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\lang\Chs_Lang.dll
Filesize
234KB

MD5
5e0643eb89d28d91cc67b60e2b910c04

SHA1
eedf224ae0ca28e5cd401b7c0ab772b257587d01

SHA256
a3d21dd220443f7badfc694ce91d5798904a76471b7f6a5b756c99a2e8354f3a

SHA512
573444c062a111a2bf213afcebcee63e2eb252a6d39c6c9f5ab344c58fe753b9abe527e67bc6678d43bef7d1bc5d5fa3dfdb32e7e7d59a8e4b9012d14085b2df

Download Submit
\Users\Admin\AppData\Roaming\快压\X64\lang\Chs_Lang.dll
Filesize
234KB

MD5
5e0643eb89d28d91cc67b60e2b910c04

SHA1
eedf224ae0ca28e5cd401b7c0ab772b257587d01

SHA256
a3d21dd220443f7badfc694ce91d5798904a76471b7f6a5b756c99a2e8354f3a

SHA512
573444c062a111a2bf213afcebcee63e2eb252a6d39c6c9f5ab344c58fe753b9abe527e67bc6678d43bef7d1bc5d5fa3dfdb32e7e7d59a8e4b9012d14085b2df

Download Submit
\Users\Admin\AppData\Roaming\快压\X86\DuiLib.dll
Filesize
585KB

MD5
79a1ec25267a3471566212ad6738a299

SHA1
9f16ae130766490204324ece02f6b56930643b47

SHA256
8a5334f329442d8b6e19a22c444e6170ddc8c2fe520f696bbd59ec72baa445ee

SHA512
f6f492b3a4cc3cc67b713ba517d34012f45a58872d68d8e1aed5d93438051a2af2359d3103ea8f465b9f8d9bdcfd8eb9835000ba274f174f232f837beba9216a

Download Submit
\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe
Filesize
5.1MB

MD5
9fddde7dbea9646c6fab0eb4f1a158f0

SHA1
f8c0c8c77c24f23f618af0daf6e0ad089ef36d73

SHA256
1dab58d5ca875ef0bbe2c01d35133f071745c67b15ecc0a21edfd3062e09afcc

SHA512
74e80e8b181fd78505a0a0fbe62e6c4a786b62c844a7f11e122a078e88cf3cc14f8a36968daf9aec5e06ca022cf97bf243df2fa637223b1f3ee967a7963956f7

Download Submit
\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe
Filesize
5.1MB

MD5
9fddde7dbea9646c6fab0eb4f1a158f0

SHA1
f8c0c8c77c24f23f618af0daf6e0ad089ef36d73

SHA256
1dab58d5ca875ef0bbe2c01d35133f071745c67b15ecc0a21edfd3062e09afcc

SHA512
74e80e8b181fd78505a0a0fbe62e6c4a786b62c844a7f11e122a078e88cf3cc14f8a36968daf9aec5e06ca022cf97bf243df2fa637223b1f3ee967a7963956f7

Download Submit
\Users\Admin\AppData\Roaming\快压\X86\kuaizipUpdateChecker.dll
Filesize
866KB

MD5
c68c2be483451e8a95fbe438f375ef02

SHA1
a5dde5ffdd32dd8992d97c19f49a4bc619215c9b

SHA256
a7ec931e3bf63ed1a55d8b81df45c3d27fa5d249abf204d0e6d853cbafad5723

SHA512
32646e5c85086ef738e267c83cbb3517220d4b02f8592d13c5df4c0b68cc041a3efc84156ce5030bbacabcece12567b0457334c6844ff5832529c2ed069fbee3

Download Submit
\Users\Admin\AppData\Roaming\快压\X86\kuaizipUpdateChecker.dll
Filesize
866KB

MD5
c68c2be483451e8a95fbe438f375ef02

SHA1
a5dde5ffdd32dd8992d97c19f49a4bc619215c9b

SHA256
a7ec931e3bf63ed1a55d8b81df45c3d27fa5d249abf204d0e6d853cbafad5723

SHA512
32646e5c85086ef738e267c83cbb3517220d4b02f8592d13c5df4c0b68cc041a3efc84156ce5030bbacabcece12567b0457334c6844ff5832529c2ed069fbee3

Download Submit
\Users\Admin\AppData\Roaming\快压\X86\lang\Chs_Lang.dll
Filesize
226KB

MD5
d80f27a8f2aa43083c729b18bf3e05f6

SHA1
6e24c81f27df9f01a44c1cb5b1bd8388d473e91c

SHA256
7adc023ec24a03a13e7dc7872ce5ca8e02d045712abc539d79abd6fd9ee3872e

SHA512
4ae2abaffc4077193854a5f992d3ab556a87ff4e386b3e2eeaf43b0e162dd8a0d8acf99c2f8e68c257969614ae83c49d17824dbb667cd6a972f887d0e0feb0b1

Download Submit
\Users\Admin\AppData\Roaming\快压\X86\uninst.exe
Filesize
2.8MB

MD5
afeff6f75b9eef4da7213d1c88d13428

SHA1
de7f0e1b1a188dae35ada904a0e882624d59e51a

SHA256
b2e33ad58b4660ddc3b5fe63d1fef95367d21f1d1871e0be32ab1e647514ba74

SHA512
54a4cf80ff352944335fda341c44642beea24784023cfe62c3c02b2feea0f3437b2bfef96cb18080abc52e0e1aa0e488a2c0d25c246a37e3067c85cb1659a440

Download Submit
memory/112-129-0x0000000000000000-mapping.dmp

Download
memory/284-162-0x0000000000000000-mapping.dmp

Download
memory/320-133-0x0000000000000000-mapping.dmp

Download
memory/364-190-0x0000000000000000-mapping.dmp

Download
memory/588-134-0x0000000000000000-mapping.dmp

Download
memory/768-165-0x0000000000000000-mapping.dmp

Download
memory/772-135-0x0000000000000000-mapping.dmp

Download
memory/820-200-0x0000000000000000-mapping.dmp

Download
memory/900-181-0x0000000000000000-mapping.dmp

Download
memory/904-111-0x0000000000000000-mapping.dmp

Download
memory/976-150-0x0000000000000000-mapping.dmp

Download
memory/980-152-0x0000000000000000-mapping.dmp

Download
memory/1080-199-0x0000000000000000-mapping.dmp

Download
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1316-91-0x0000000000000000-mapping.dmp

Download
memory/1348-205-0x0000000000000000-mapping.dmp

Download
memory/1416-95-0x0000000000000000-mapping.dmp

Download
memory/1416-155-0x0000000000000000-mapping.dmp

Download
memory/1516-93-0x0000000000000000-mapping.dmp

Download
memory/1520-147-0x0000000000000000-mapping.dmp

Download
memory/1548-89-0x0000000000000000-mapping.dmp

Download
memory/1548-195-0x0000000000000000-mapping.dmp

Download
memory/1580-106-0x0000000000000000-mapping.dmp

Download
memory/1600-193-0x0000000000000000-mapping.dmp

Download
memory/1600-102-0x0000000000000000-mapping.dmp

Download
memory/1692-66-0x00000000039E0000-0x0000000003B7D000-memory.dmp

Filesize
1.6MB

Download
memory/1692-59-0x0000000010000000-0x00000000101D5000-memory.dmp

Filesize
1.8MB

Download
memory/1692-56-0x0000000000000000-mapping.dmp

Download
memory/1732-174-0x0000000000000000-mapping.dmp

Download
memory/1740-76-0x0000000010000000-0x00000000100DA000-memory.dmp

Filesize
872KB

Download
memory/1740-83-0x0000000003690000-0x000000000382D000-memory.dmp

Filesize
1.6MB

Download
memory/1740-73-0x0000000000000000-mapping.dmp

Download
memory/1764-113-0x0000000000000000-mapping.dmp

Download
memory/1772-197-0x0000000000000000-mapping.dmp

Download
memory/1772-109-0x0000000000000000-mapping.dmp

Download
memory/1824-100-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/1824-99-0x0000000000000000-mapping.dmp

Download
memory/1868-188-0x0000000000000000-mapping.dmp

Download
memory/1884-198-0x0000000000000000-mapping.dmp

Download
memory/1964-196-0x0000000000000000-mapping.dmp

Download
memory/1964-201-0x0000000010000000-0x000000001020C000-memory.dmp

Filesize
2.0MB

Download
memory/2056-214-0x0000000000000000-mapping.dmp

Download
memory/2080-218-0x0000000000000000-mapping.dmp

Download
memory/2096-220-0x0000000000000000-mapping.dmp

Download
memory/2136-227-0x0000000000000000-mapping.dmp

Download
memory/2172-233-0x0000000000000000-mapping.dmp

Download
memory/2200-237-0x0000000000000000-mapping.dmp

Download
memory/2224-241-0x0000000000000000-mapping.dmp

Download
memory/2256-245-0x0000000000000000-mapping.dmp

Download
memory/2276-248-0x0000000000000000-mapping.dmp

Download
memory/2312-255-0x0000000000000000-mapping.dmp

Download
memory/2336-257-0x0000000000000000-mapping.dmp

Download
memory/2580-263-0x0000000000000000-mapping.dmp

Download
memory/2604-265-0x0000000000000000-mapping.dmp

Download
memory/2620-266-0x0000000000000000-mapping.dmp

Download
memory/2636-268-0x0000000000000000-mapping.dmp

Download
memory/2656-271-0x0000000000000000-mapping.dmp

Download
memory/2692-277-0x0000000000000000-mapping.dmp

Download
memory/2712-280-0x0000000000000000-mapping.dmp

Download
memory/2724-281-0x0000000000000000-mapping.dmp

Download
memory/2748-285-0x0000000000000000-mapping.dmp

Download
memory/2764-287-0x0000000000000000-mapping.dmp

Download
memory/2788-291-0x0000000000000000-mapping.dmp

Download
memory/2812-295-0x0000000000000000-mapping.dmp

Download
memory/2832-298-0x0000000000000000-mapping.dmp

Download
memory/2860-303-0x0000000000000000-mapping.dmp

Download
memory/2896-310-0x0000000000000000-mapping.dmp

Download
memory/2912-312-0x0000000000000000-mapping.dmp

Download
memory/2948-319-0x0000000000000000-mapping.dmp

Download
memory/2960-320-0x0000000000000000-mapping.dmp

Download
memory/2996-327-0x0000000000000000-mapping.dmp

Download