gh0strat | 97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Size

651KB
MD5

024624ebf8d05a64f75f76ce3534e45a
SHA1

95d995819f186cf19e8537c65bc096024424e382
SHA256

97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee
SHA512

ef2189227609298371d7f9b1060e39b7d60764988797373b5b3bb3b65e79f6863117f0ed0f5a74ce6cdf1d474fd705a63f7af09692f6b70775609eab402ad8f8
SSDEEP

12288:ViEb+X4RK9r0VehcNuySbMm1eAb3cgTasALA3yv4Jsk/oS:Vf+oRK9wVemcySbw8cHsgJC

Score

10^/10

gh0strat aspackv2 discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1524-66-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral1/memory/1752-69-0x0000000003D80000-0x0000000003E45000-memory.dmp	family_gh0strat
behavioral1/memory/1524-73-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00060000000146a2-81.dat	aspack_v212_v242
behavioral1/files/0x00060000000146a2-83.dat	aspack_v212_v242

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\BC.sys	setups_66_63962.exe
File created	C:\Windows\system32\drivers\kmodurl.sys	setups_66_63962.exe
File created	C:\Windows\system32\drivers\kmodurl64.sys	setups_66_63962.exe
File created	C:\Windows\SysWOW64\drivers\OOKZDHKN.sys	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
File created	C:\Windows\SysWOW64\drivers\LAEIMRTX.sys	svchoppp.exe
File opened for modification	C:\Windows\system32\drivers\BC.sys	setups_66_63962.exe
File created	C:\Windows\system32\drivers\ksapi.sys	setups_66_63962.exe
File created	C:\Windows\system32\drivers\ksfmonsys64.sys	setups_66_63962.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	setups_66_63962.exe

Executes dropped EXE 11 IoCs

pid	Process
1968	svchoppp.exe
1524	svchoppp.exe
1376	kuping_s_33717.exe
1536	setups_66_63962.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe
2172	Kpmini.exe
2532	KSafeSvc.exe
2584	KSafeSvc.exe
2852	KSafeTray.exe
2920	ksetupwiz.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LAEIMRTX\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\LAEIMRTX.sys"	svchoppp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\OOKZDHKN\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\OOKZDHKN.sys"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1752-55-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/files/0x00090000000133e6-56.dat	upx
behavioral1/files/0x00090000000133e6-57.dat	upx
behavioral1/files/0x00090000000133e6-59.dat	upx
behavioral1/memory/1968-72-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/1752-125-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/1968-126-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/files/0x00090000000133e6-127.dat	upx
behavioral1/files/0x0005000000019c16-129.dat	upx
behavioral1/memory/1536-132-0x0000000000400000-0x0000000000530000-memory.dmp	upx
behavioral1/files/0x0005000000019c16-133.dat	upx
behavioral1/memory/1536-139-0x0000000000400000-0x0000000000530000-memory.dmp	upx
behavioral1/memory/1536-191-0x0000000000400000-0x0000000000530000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
1376	kuping_s_33717.exe
1376	kuping_s_33717.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1376	kuping_s_33717.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe
2140	KpQuickenFunction.exe
2140	KpQuickenFunction.exe
2140	KpQuickenFunction.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2172	Kpmini.exe
2172	Kpmini.exe
2172	Kpmini.exe
2172	Kpmini.exe
2140	KpQuickenFunction.exe
1416	kuping_v4.exe
1536	setups_66_63962.exe
1536	setups_66_63962.exe
1536	setups_66_63962.exe
1536	setups_66_63962.exe
1536	setups_66_63962.exe
2532	KSafeSvc.exe
2532	KSafeSvc.exe
2532	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
2584	KSafeSvc.exe
1536	setups_66_63962.exe
1536	setups_66_63962.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
1536	setups_66_63962.exe
2920	ksetupwiz.exe
2920	ksetupwiz.exe
2920	ksetupwiz.exe
2920	ksetupwiz.exe
2920	ksetupwiz.exe
2920	ksetupwiz.exe
2852	KSafeTray.exe
2920	ksetupwiz.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	setups_66_63962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KSafeTray = "\"c:\\program files (x86)\\ksafe\\KSafeTray.exe\""	setups_66_63962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KSafeTray = "\"c:\\program files (x86)\\ksafe\\KSafeTray.exe\" -autorun"	setups_66_63962.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchoppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2297F138 = "C:\\Windows\\2297F138\\svchsot.exe"	svchoppp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kuping = "C:\\Program Files\\kuping4\\kuping_v4.exe /start"	kuping_v4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\svchoppp.exe	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
File created	C:\WINDOWS\SysWOW64\svchosttt.exe	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
File created	C:\WINDOWS\SysWOW64\2345pack_k61539783_v3.1.exe	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
File created	C:\WINDOWS\SysWOW64\bluesoft_gho_bsxmqj_inst.exe	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\kuping4\TempDownLoad\Home\11204.jpg	kuping_s_33717.exe
File created	C:\Program Files\kuping4\TempDownLoad\Home\21222.jpg	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\webui\kwsplugin\images\info.bmp	setups_66_63962.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\Prompt\cancel.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\kvip\data\default_head_logo.png	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\checkbox_disable.bmp	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\progressrigth.bmp	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\kwsu.dat	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\KEng\ksg\false.psg	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\cp\KSafeSvc.exe	setups_66_63962.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\color\red.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\IndivCenter\upload\tag.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\TempDownLoad\Home\51225.jpg	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\Personal-center.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\df_p_lef.bmp	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\graypop_banner_1.bmp	setups_66_63962.exe
File opened for modification	\??\c:\program files (x86)\ksafe\quarantine.ini	KSafeSvc.exe
File created	\??\c:\program files (x86)\ksafe\wndtime.dat	KSafeTray.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\Prompt\Ð§¹ûÍ¼.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\tooltipUi\bg_02.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\list\backpage.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\TempDownLoad\Home\21218.jpg	kuping_s_33717.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\Temp\bg_01.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\ÌáÊ¾¿ò\cut_button-hand.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\webui\images_s\block_close_over.bmp	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\KEng\ksg\oj211208.fsg	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\KEng\ksg\ztvb9008.vsg	setups_66_63962.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\IndivCenter\Personal-information\tailorBg.jpg	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\UpdateNotice\notchoose.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\cp\productidinfo2.ini	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\dlsp_button_hover.bmp	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\xzbh_top_right.bmp	setups_66_63962.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\Prompt\cut_button.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\slice\bg-2.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\button_17_down.bmp	setups_66_63962.exe
File created	C:\Program Files\kuping4\TempDownLoad\Home\61152.jpg	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\sp3a.nlb	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\kwsctrl.dll	setups_66_63962.exe
File created	C:\Program Files\kuping4\Appsoftconfig\image\soft.xml	kuping_s_33717.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\Temp\la.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\CenterDlgConfig\UploadImageLayer.ini	kuping_s_33717.exe
File created	C:\Program Files\kuping4\MSGBoxSkin\UI\error.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\list\suspend.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\ksfmonsys64.sys	setups_66_63962.exe
File created	C:\Program Files\kuping4\Appsoftconfig\image\buttoncoculation.png	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\list\nextpage.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\webui\icon\commentbgsafetrs.gif	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\cp1\ksscfgx.ini	setups_66_63962.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\Temp\Thumbs.db	kuping_s_33717.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\kupingbg-03_03.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\KEng\ksg\tj261209.vsg	setups_66_63962.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\IndivCenter\daohang\myDownLoad.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\checkbox_down.bmp	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\webui\icon\commentbgunkownlts.gif	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\fullbox\pic\fullbox_reg_clean.bmp	setups_66_63962.exe
File opened for modification	\??\c:\program files (x86)\ksafe\cfg\unioncfg.ini	setups_66_63962.exe
File created	C:\Program Files\kuping4\TempDownLoad\TagInfo\list_xp.xml	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\KEng\ksg\ztfc001d.fsg	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\KEng\ksg\zepb7001.ksg	setups_66_63962.exe
File created	C:\Program Files\kuping4\kpTailor\skiniconfig\Ä¬ÈÏ\Temp\line.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\webui\splock\images\xzbh_left.bmp	setups_66_63962.exe
File created	\??\c:\program files (x86)\ksafe\kse\unknown.fsg	setups_66_63962.exe
File created	C:\Program Files\kuping4\skinConfig\Ä¬ÈÏ\ui\slice\bg-3.png	kuping_s_33717.exe
File created	\??\c:\program files (x86)\ksafe\fullbox\pic\fullbox_sysrepair.bmp	setups_66_63962.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2297F138\svchsot.exe	svchoppp.exe
File created	C:\WINDOWS\svchoppp.exe	svchoppp.exe
File created	C:\Windows\2297F138\svchsot.exe	svchoppp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "28658"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "50017"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "51501"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "113779"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1832"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "50585"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "97263"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "113225"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "150705"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "150706"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "150721"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1861"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "88367"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "90289"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "94650"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "94659"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "98565"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "125564"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "24023"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "90289"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "94650"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "97263"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "151189"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "150721"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "2748"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "28669"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "88367"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "101151"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "107589"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "143751"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "150694"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1753"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "1861"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "28658"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "895"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "49979"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "51501"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "99849"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "125564"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "151189"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "125618"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1890"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "2748"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "50047"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "95961"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "101151"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "120722"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	svchoppp.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "37"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "1766"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "1832"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "28676"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102453"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "1845"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "1890"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "49951"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "49979"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "50029"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "109055"	svchoppp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "24023"	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpscrfile	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bksafesvc.bkcomm\CurVer	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25407239-B26F-40DF-97FF-1652E76BF999}\TypeLib	KSafeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\ = "¿áÆÁÖ÷Ìâ×ÊÔ´ÎÄ¼þ"	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\Shell\Open	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpcurfile\Shell	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile\Shell\Open	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile\Shell	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bksafesvc.bkcomm\CLSID\ = "{C313E554-97AB-49F9-988F-04DF64CD0451}"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpscrfile\Shell\Open	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\Shell\Open\Command\ = "C:\\Program Files\\kuping4\\KpInstallTheme.exe %1"	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile\Shell\Open\Command\ = "C:\\Program Files\\kuping4\\KpInstallTheme.exe %1"	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kpscr	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpscrfile\Shell	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C313E554-97AB-49F9-988F-04DF64CD0451}	KSafeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C313E554-97AB-49F9-988F-04DF64CD0451}\ProgID\ = "bksafesvc.bkcomm.1"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	setups_66_63962.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile\Shell	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile\Shell\Open\Command	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Kuping\Command	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile\DefaultIcon	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bksafesvc.bkcomm.1\ = "bkcomm Class"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpcurfile\DefaultIcon	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpcurfile\Shell\ = "Open"	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile\Shell\Open\Command	kuping_s_33717.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Kuping\Command	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C09A3ECC-2185-4F08-A17D-3EE687E05774}\1.0\HELPDIR\ = "c:\\program files (x86)\\ksafe"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25407239-B26F-40DF-97FF-1652E76BF999}	KSafeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpcurfile\DefaultIcon\ = "C:\\Program Files\\kuping4\\kuping_v4.exe,3"	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpscrfile	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpscrfile\DefaultIcon	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpcurfile\DefaultIcon\ = "C:\\Program Files\\kuping4\\kuping_v4.exe,3"	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E44A3E87-876D-46BB-8831-836A4C74918B}\ = "bksafesvc"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\DefaultIcon	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpiconfile\Shell\Open\Command	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpiconfile\DefaultIcon\ = "C:\\Program Files\\kuping4\\kuping_v4.exe,4"	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E44A3E87-876D-46BB-8831-836A4C74918B}\LocalService = "KSafeSvc"	KSafeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "ec700cc175a341f0dd2d90c991cd1f93"	setups_66_63962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25407239-B26F-40DF-97FF-1652E76BF999}\TypeLib\Version = "1.0"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\Shell	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\Shell\Open\Command	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Kuping\Position = "bottom"	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bksafesvc.bkcomm\ = "bkcomm Class"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C09A3ECC-2185-4F08-A17D-3EE687E05774}\1.0\HELPDIR	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kpicon	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpscrfile\DefaultIcon\ = "C:\\Program Files\\kuping4\\kuping_v4.exe,6"	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E44A3E87-876D-46BB-8831-836A4C74918B}	KSafeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\Shell\ = "Open"	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpiconfile\Shell\Open\Command\ = "C:\\Program Files\\kuping4\\KpInstallTheme.exe %1"	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kprarfile\Shell	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kprarfile\Shell\Open\Command	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpcurfile\ = "¿áÆÁÊó±êÖ¸Õë×ÊÔ´ÎÄ¼þ"	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25407239-B26F-40DF-97FF-1652E76BF999}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	KSafeSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	setups_66_63962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kprarfile\Shell\Open\Command\ = "C:\\Program Files\\kuping4\\KpInstallTheme.exe %1"	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kplguifile	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpscrfile\ = "¿áÆÁÆÁ±£×ÊÔ´ÎÄ¼þ"	kuping_v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kprar	kuping_v4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpthemefile\Shell\ = "Open"	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kpcur\ = "kpcurfile"	kuping_s_33717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kpiconfile\Shell\Open\Command\ = "C:\\Program Files\\kuping4\\KpInstallTheme.exe %1"	kuping_s_33717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C313E554-97AB-49F9-988F-04DF64CD0451}\Programmable	KSafeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25407239-B26F-40DF-97FF-1652E76BF999}\TypeLib\ = "{C09A3ECC-2185-4F08-A17D-3EE687E05774}"	KSafeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	setups_66_63962.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchoppp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchoppp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	svchoppp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	svchoppp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1524	svchoppp.exe
1524	svchoppp.exe
1524	svchoppp.exe
1524	svchoppp.exe
1376	kuping_s_33717.exe
1376	kuping_s_33717.exe
1376	kuping_s_33717.exe
1376	kuping_s_33717.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe
2140	KpQuickenFunction.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe
2140	KpQuickenFunction.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	svchoppp.exe
Token: SeDebugPrivilege	1524	svchoppp.exe
Token: SeDebugPrivilege	1536	setups_66_63962.exe
Token: SeRestorePrivilege	1376	kuping_s_33717.exe
Token: SeBackupPrivilege	1376	kuping_s_33717.exe
Token: SeTakeOwnershipPrivilege	2532	KSafeSvc.exe
Token: SeTakeOwnershipPrivilege	2532	KSafeSvc.exe
Token: SeTakeOwnershipPrivilege	2532	KSafeSvc.exe
Token: SeTakeOwnershipPrivilege	2532	KSafeSvc.exe
Token: SeDebugPrivilege	2584	KSafeSvc.exe
Token: SeChangeNotifyPrivilege	2584	KSafeSvc.exe
Token: SeTakeOwnershipPrivilege	2852	KSafeTray.exe
Token: SeDebugPrivilege	2852	KSafeTray.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
2852	KSafeTray.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1416	kuping_v4.exe
2852	KSafeTray.exe
2852	KSafeTray.exe
2852	KSafeTray.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
1968	svchoppp.exe
1968	svchoppp.exe
1968	svchoppp.exe
1968	svchoppp.exe
1376	kuping_s_33717.exe
1376	kuping_s_33717.exe
1376	kuping_s_33717.exe
1376	kuping_s_33717.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
1416	kuping_v4.exe
2140	KpQuickenFunction.exe
2140	KpQuickenFunction.exe
2172	Kpmini.exe
2172	Kpmini.exe
1416	kuping_v4.exe
1416	kuping_v4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1968	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	29
PID 1752 wrote to memory of 1968	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	29
PID 1752 wrote to memory of 1968	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	29
PID 1752 wrote to memory of 1968	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	29
PID 1968 wrote to memory of 1524	1968	svchoppp.exe	30
PID 1968 wrote to memory of 1524	1968	svchoppp.exe	30
PID 1968 wrote to memory of 1524	1968	svchoppp.exe	30
PID 1968 wrote to memory of 1524	1968	svchoppp.exe	30
PID 1524 wrote to memory of 612	1524	svchoppp.exe	31
PID 1524 wrote to memory of 612	1524	svchoppp.exe	31
PID 1524 wrote to memory of 612	1524	svchoppp.exe	31
PID 1524 wrote to memory of 612	1524	svchoppp.exe	31
PID 612 wrote to memory of 1860	612	net.exe	34
PID 612 wrote to memory of 1860	612	net.exe	34
PID 612 wrote to memory of 1860	612	net.exe	34
PID 612 wrote to memory of 1860	612	net.exe	34
PID 1752 wrote to memory of 1376	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	35
PID 1752 wrote to memory of 1376	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	35
PID 1752 wrote to memory of 1376	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	35
PID 1752 wrote to memory of 1376	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	35
PID 1752 wrote to memory of 1376	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	35
PID 1752 wrote to memory of 1376	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	35
PID 1752 wrote to memory of 1376	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	35
PID 1752 wrote to memory of 1536	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	38
PID 1752 wrote to memory of 1536	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	38
PID 1752 wrote to memory of 1536	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	38
PID 1752 wrote to memory of 1536	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	38
PID 1752 wrote to memory of 1536	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	38
PID 1752 wrote to memory of 1536	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	38
PID 1752 wrote to memory of 1536	1752	97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe	38
PID 1376 wrote to memory of 1416	1376	kuping_s_33717.exe	42
PID 1376 wrote to memory of 1416	1376	kuping_s_33717.exe	42
PID 1376 wrote to memory of 1416	1376	kuping_s_33717.exe	42
PID 1376 wrote to memory of 1416	1376	kuping_s_33717.exe	42
PID 1376 wrote to memory of 1416	1376	kuping_s_33717.exe	42
PID 1376 wrote to memory of 1416	1376	kuping_s_33717.exe	42
PID 1376 wrote to memory of 1416	1376	kuping_s_33717.exe	42
PID 1416 wrote to memory of 2140	1416	kuping_v4.exe	45
PID 1416 wrote to memory of 2140	1416	kuping_v4.exe	45
PID 1416 wrote to memory of 2140	1416	kuping_v4.exe	45
PID 1416 wrote to memory of 2140	1416	kuping_v4.exe	45
PID 1416 wrote to memory of 2140	1416	kuping_v4.exe	45
PID 1416 wrote to memory of 2140	1416	kuping_v4.exe	45
PID 1416 wrote to memory of 2140	1416	kuping_v4.exe	45
PID 1416 wrote to memory of 2172	1416	kuping_v4.exe	46
PID 1416 wrote to memory of 2172	1416	kuping_v4.exe	46
PID 1416 wrote to memory of 2172	1416	kuping_v4.exe	46
PID 1416 wrote to memory of 2172	1416	kuping_v4.exe	46
PID 1416 wrote to memory of 2172	1416	kuping_v4.exe	46
PID 1416 wrote to memory of 2172	1416	kuping_v4.exe	46
PID 1416 wrote to memory of 2172	1416	kuping_v4.exe	46
PID 1536 wrote to memory of 2532	1536	setups_66_63962.exe	50
PID 1536 wrote to memory of 2532	1536	setups_66_63962.exe	50
PID 1536 wrote to memory of 2532	1536	setups_66_63962.exe	50
PID 1536 wrote to memory of 2532	1536	setups_66_63962.exe	50
PID 1536 wrote to memory of 2852	1536	setups_66_63962.exe	53
PID 1536 wrote to memory of 2852	1536	setups_66_63962.exe	53
PID 1536 wrote to memory of 2852	1536	setups_66_63962.exe	53
PID 1536 wrote to memory of 2852	1536	setups_66_63962.exe	53
PID 1536 wrote to memory of 2920	1536	setups_66_63962.exe	54
PID 1536 wrote to memory of 2920	1536	setups_66_63962.exe	54
PID 1536 wrote to memory of 2920	1536	setups_66_63962.exe	54
PID 1536 wrote to memory of 2920	1536	setups_66_63962.exe	54
PID 1536 wrote to memory of 2920	1536	setups_66_63962.exe	54

C:\Users\Admin\AppData\Local\Temp\97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe
"C:\Users\Admin\AppData\Local\Temp\97ab4063ec4fdc46d2fa0c999d1e91430c26653e368d1d7873f7689b7fe3e0ee.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\WINDOWS\SysWOW64\svchoppp.exe
  C:\WINDOWS\system32\svchoppp.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Sets service image path in registry
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\WINDOWS\svchoppp.exe
    C:\WINDOWS\svchoppp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\WINDOWS\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:1860
- C:\kuping_s_33717.exe
  C:\kuping_s_33717.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Program Files\kuping4\kuping_v4.exe
    "C:\Program Files\kuping4\kuping_v4.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Program Files\kuping4\KpQuickenFunction.exe
      "C:\Program Files\kuping4\KpQuickenFunction.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2140
  - - C:\Program Files\kuping4\Kpmini.exe
      "C:\Program Files\kuping4\Kpmini.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2172
- C:\setups_66_63962.exe
  C:\setups_66_63962.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - \??\c:\program files (x86)\ksafe\KSafeSvc.exe
    "c:\program files (x86)\ksafe\KSafeSvc.exe" -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - \??\c:\program files (x86)\ksafe\KSafeTray.exe
    "c:\program files (x86)\ksafe\KSafeTray.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2852
- - \??\c:\program files (x86)\ksafe\ksetupwiz.exe
    "c:\program files (x86)\ksafe\ksetupwiz.exe" -infoc2 -success -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md C:\WINDOWS\system32\system..\ & copy C:\WINDOWS\system32\svchosttt.exe C:\WINDOWS\system32\system..\ & start C:\WINDOWS\system32\system..\svchosttt.exe &
  2⤵
  PID:1684

\??\c:\program files (x86)\ksafe\KSafeSvc.exe
"c:\program files (x86)\ksafe\KSafeSvc.exe" -svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\kuping4\SkinCenter.dll

Filesize
458KB

MD5
55b901792502bee075efadf17fd9e8f2

SHA1
b61d0825aed2ad588f2d69f78cffa28da2338c8e

SHA256
972f34fc37b84da2eb0dd96dc48568f2c99884a2511008070fa4b0ecf4a7a4b3

SHA512
234f877283b9432f079aeb3b2908c67a480f74bc323efeb218336d7ce91337236bdcc81da17b1047478f6283eb905388a9d48648d33cb8022e7e88545af060e1

Download Submit
C:\Program Files\kuping4\kuping_v4.exe

Filesize
1022KB

MD5
7dee0193e01240d2c874eaf7e2fb9ee7

SHA1
ce48ae61c1fcad4d963cc28cb2dd478e07dd436e

SHA256
f04728ab30c0baf07beacbdfa0ca4a227831de35a4d8236bffaf55f56f599fb8

SHA512
ec68050321562d92964c60c5e07118b435bf229d6d589ae927f5a18f860963fccbdb2ce51144033389280a3c92100223163acc548a381b5dadf7b49be53834e2

Download Submit
C:\Program Files\kuping4\unrar.dll

Filesize
181KB

MD5
c7c312baea98038c04db09ebf0185818

SHA1
6c06debad557d403b130411fc9c0b9e69f1d641d

SHA256
514526a0ac61cea6027eb39bb28850eaca0dd064285980a6441b4368cc142416

SHA512
8a8fdff07651ce40ba62668c450009813eaaebed863c967c92df1621b1e5fc3247f0a5f25ece7faaeba956bc0d9a2038b0f168cd425a4a8ce24dacd293369351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
7890979fbc7547dcd3a68cb46a167509

SHA1
94ec4e70ee0aa48a121e8ae90d73f7707c287c02

SHA256
6a275556bea511ae7101fc18653a21fe9887aa3a55e2e286d11469e978bd1c41

SHA512
65050a94b92fdc37f0e98fe52bb3312556db4da4dca6d203cc8e17fdb217a519757c177b20bf7aed3932b751dfbf66e272b7204bbc232e33e0989606231d6887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_732CD2E81096ABF7BA2C52B060437887

Filesize
727B

MD5
da42da990f950a32473105c62eb64371

SHA1
3f06f95aa7c92db15f828501140d0d47c938e13c

SHA256
c295de8ca609317d94bfb83df1a5a73254fb4b0f6c2c1a574035ddf548909837

SHA512
49358fe430b2e3024d528a629b41a4ac1d9aaa7145a3f3364082cdbed87efe10caca46299c987c96aa79ddc43965c2b0289b9ffecb33e1e92028fa5cfd7b533a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
50044061a57555810096851c87b6cb1f

SHA1
d8811256446ec6d27d6c6a222bb9fa6b49665b0b

SHA256
389cb50bfe38c978d10c19e8e298a88403a7c704c446d07e97621543e59a3bcd

SHA512
5963d3d031e7015afcaed824ab95e2449cc40d54c096b460199503a55fbb406c85204ecbd6cd50f9036b2a73222601250cca8a4fc2ddbe30c7257dae1baa0ac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AD271238AE52F650EBC4F5351E57080_F24C10185A30D5B76A6D06FE787295EE

Filesize
600B

MD5
f89d48ef6b73a88a748ae05c90e5a67f

SHA1
5d4bc68738988b5b2e3a777fca5e46df60e4a77d

SHA256
1d6f9788e6d72c543f699d7816fef6055f0a157955a462c65453a36869705026

SHA512
dc1bc809128d8722ac8387cc2e0800a441fb45430c562b919fed9357c80804f95fa09f00c046128f62e8b733492f6c7631ea19cf3b25f7554c51931115b0f2b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
9aaec31141621af0b2726a4edba03a2f

SHA1
800be4a0c3960996eefb2b72706e62f0aa03008e

SHA256
a1f427c19f17f2422b31509b57598d674c5850bf3984e3cc1324519ab7f1c5bb

SHA512
c153f8707ed5e0e76f073d38736534411e40eb860975a6421076a9ee2ed215b2e83af964efee3a4f0df98616595e2ce887a9d9bac6c27f5e5cc2774726df186f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_30AFADCBADB64465E92E8D7F467226D2

Filesize
1KB

MD5
58bd4f2f513c6d3b8e2224783994291f

SHA1
7dd4c7e0fcafd11fc126aa7d4c5391dccfb91dff

SHA256
1534c6fdb5cd8ff3d700fb19ade0e786ce3bcf6acea692e95b425e59c561b0fd

SHA512
d793637e3c906fb7a284b2b7bb114376891816e3d4ff584ba602a6277bca9838d2177277ddd2626cb90306b4a47f057d38327c2c889dde3687a9dedd5354bf97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
471B

MD5
7e876cd902020e2ef4c0ff3c77ef1148

SHA1
eb9f75337f42521db4e3992fd37556766d335db7

SHA256
11773cff0e724b98efe876fe899836b27406867b10b7525128a4d536fef2b8eb

SHA512
531a61bdf5d54f7e36039802f388cfde60623716b6eed728ed2d21b306426d0485769c3aaebf999f0d22fedd93390a6b48df7805a68992cbe449fbcad09c9e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
5abc99e1ac11edacc1b41048d4300bb2

SHA1
e1551d4b8687c50a3ff67fb41950e57d0a63b2cc

SHA256
546649182e1221b82275c9da15a53ef00c129f4b20d239a1bdcee7dbcfb20e61

SHA512
17adca6ab43de7219b0ef5561bc18799f98ef73587b442c3e0caea7f382d0da99c2ae34655375bdcb05cd74159fb13807eae647baa7d986f6d6427a339b8d4b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_732CD2E81096ABF7BA2C52B060437887

Filesize
442B

MD5
0ee543c2f7fa661cba2dad9636741677

SHA1
130fa87bfe648afff812c7e39067df99a56db37e

SHA256
456121ea8ea005233ca12c2272512ae836940bf18decf7a8cebedb763b4de2f2

SHA512
b40fb93a177fd9c736423a00bf1ed26818484e204ea20f1672c29e237aa009090e862a8b00287abebbf0777afa130221363a8c7e17b62c39b1a8b6a780d3973f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
882be2c6b4bea25cda91dbaaf59f98b0

SHA1
8ce8539a829e539f8f277b45fe799f781e1c4757

SHA256
13e45a0224e89375c8e962ec14ffc997a48ad9856df047573bed27b8b569472f

SHA512
cd79f797ee84bd3be910f5d507d3a631bd6c11471655d664b0eb56662f758c89a3e831b09e996cde645a35ac9ff6d3e421e3b89859f2ee19439bbdb8f1aa759c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AD271238AE52F650EBC4F5351E57080_F24C10185A30D5B76A6D06FE787295EE

Filesize
500B

MD5
f057dfec252374f54f393331a22693a5

SHA1
408bf87355d5ecb8d817d82d6947285aaab3e32f

SHA256
a7d2f3714512a3d3f7a9f4cff1a7541953b47d446d0768f0fbfd4e765469ef40

SHA512
01d337842b740330a545879e2251507002f715615de3bdb5b106cd717e6b3c4575e54c7387db2082f234026625634d3c7aa29e6df89c7cf65c2b4323eadb81a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ae9cff49681a6ef70a91c73fd7a1fa6

SHA1
9751f80d3f77551fcaf63df4cf68de049fb7fbf3

SHA256
bbf3f267391c4a454dc908738436b0c2a39a607d88f4ca7d8234a6081b5f3b7e

SHA512
5c157cfa8ec3124431d49b94d1a489642f0a6659ff3b73a0905f93496d67e4cb9cdffeb4393eb7150a95d1f9b63d35d502e7ff481a6fdad4124f1b099985e0ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
42f4746fe35a16a2c7797cae3be98a7a

SHA1
89a1608a60cbd817d24a6d026c23887bcd6b88ed

SHA256
47752fc21f00d21be6d10c1a5c6640576424c8cdfbfafd57b9f7a768eaf541f5

SHA512
1f2f33b8a97283576e277e7223d0eaeddb82969bbd666efb5336c35b5355bb7bb349bc2a695782ef5b28ad5780d3876d0c4fbdcc1332b37492fabcfb8ba4d335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_30AFADCBADB64465E92E8D7F467226D2

Filesize
478B

MD5
6a57378c9c197915fd9ec11f34feb714

SHA1
fe18457f61c83d81b8f7f4407760a1b782efdf96

SHA256
caacf7b0e2336bfa0fee385a5ae456d0bba9ec3d67e23ce249f9b04775e35df0

SHA512
24c37277e9b4a9c0cc99940f2acfd1863d4714d7705fe5a4414c124f1c05da40bb30169cc22b699eee2f8336ae57386fa831562c1905d2bf54ccd3f4672a7956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
430B

MD5
2ba006b9272e102b89a769e8687d18fc

SHA1
06a27a528f13c1fd0c1b3eb3e6ab14e53233ee1c

SHA256
d4c3509890b05ae9855d1e11b5acd55e5abce9c2090aca23bd6978eaa266f096

SHA512
58ce6e95be6b7182b6280a9d42f244a0a8122e241241b251b32aeabd81681b43cce2d85dfdfecc929cee463cee54e863ba46ac3b91de47647aa22f2c4d0e08c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\5ce1aef23046814cf16fe5cffbb4ad45[1].gif

Filesize
4KB

MD5
5ce1aef23046814cf16fe5cffbb4ad45

SHA1
e5913983b4a621117b8aca52cd1f3df7eea0694a

SHA256
e7aff9970e14de2393fede3fc8e021c624d2aaf3f4d3a6cc86c04acbd80b1e81

SHA512
150ac9892863eb89687abba69d33dac4389431de50d4d55bdfa486091d52a884c1315595d865dbc3af09125bb544c8aa1233086f365e4d0dde89b1d8bf2e60e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\ea9d8504a045ed5408176b901cc4e524[1].png

Filesize
696B

MD5
ea9d8504a045ed5408176b901cc4e524

SHA1
d1ec69d0190849687a0b8608976d262c9e6963ce

SHA256
bcd3dca992e6d05794213324441f02cea90b5046b7ffd97937eed832a3f52cfa

SHA512
01e8483c4934ca97b0c22b726bb5701e7ac47281debe79a2a759f51934e4cf437099b1b9a38fd700983b61a5a2032638cba997ddc790fda99d72fbab7615ce7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\fa088cf7a9e345751b3ce7a0041c3989[1].png

Filesize
958B

MD5
fa088cf7a9e345751b3ce7a0041c3989

SHA1
e593e022b6de0a71b7340895dd52a6951e3622d5

SHA256
9123d4d67223753050783ae36f3cbc0bd50c3ea082bf647325efee9cab1e8514

SHA512
2d786ac303e37a22c680e3b32f8f4b762906edf8b41270c53adc0147803d9384aa3d8a818fccb0d4a4f2d637b5e8837bb4409927f615b3153e74167449572d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\jquery-1.8-dd39d1759b.3.min[1].js

Filesize
91KB

MD5
8711f5a64d367737c1cbb4f01c969cb8

SHA1
5fe2bb33dde5be9c2a3bd162c5ccbc05fefe4761

SHA256
da31d46eb60b6a03e82d3b47f9a19a96e67512ded3813cfa1ac413b948b65154

SHA512
3f93322df1920bdc9c8892cd670559e3a2ea9fc3564a805580163dc70428b46d1cacc13eba865dbd8f24bb4e29017734fb2df6955a2a9a1972d63d40c1fd87b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\public-8085fba160[1].js

Filesize
1KB

MD5
536d3ba47c6d648c3298813d65eaa572

SHA1
ba61445f9adf8cab04cdc12e321cf78e752c5075

SHA256
f50dc08535f5107c2c9c1e06ae2a28c49590475811909e05e3c8921093a3929e

SHA512
7cfdcd66639adf5a3cf180047b4c7093c401c4a6b9d98f219595fe94b936e2193903878add4ce8340d0b5e7262f63d1d93d7d0a55abef676016270ddff2b10de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\report-78677e5cc9[1].js

Filesize
1KB

MD5
091fa66f55ddc2d5c067cb768baa97ef

SHA1
9da5bf3cac4df6c25fbe6b3d44c77a51478408c3

SHA256
c67d66f80f2b2bd24af669eb4a328e2ea3593511d5fe1e4c8145feddb94fbb7a

SHA512
d9c919327590deb877a0b1668374a999c52b9b64995540135e1e771e85a84eb40c2e84a36cd9a43a9d0b7732126e0dd9d3fb76f22810c7c0fc54844068b7a242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ORS647J\45dff259d046032205cad480f6b7912c[1].png

Filesize
221B

MD5
ccfec15f2bb8a16f869acd64a81ee7e6

SHA1
a9ca0a12d6c28e7c6bbafcdd15f961470d72286c

SHA256
afce102a2e9e98a492d72244552d3eaa639a42f7b360c260d3d095071a312785

SHA512
de1074d9032d514d3ed7d6fab20f20ccf47ab10ec80e311ba6253f9d6a5473cd13457fd5a5fd2fc03d222e5ce01ffa20917c3b3a6cc92c44e845ba467e2d3f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ORS647J\blank[1].png

Filesize
953B

MD5
1dce95f828f80909998fb31e95f753a8

SHA1
92b70ef8e1a68e7bc74f84d0a73db9ceb28d3753

SHA256
edc5d409a18f9f37906fb1df18f720d8dfaeee25f90930f64747045eb4a3c6d0

SHA512
2a44a03e8ad25e44f6181b04e91e16a574409d3b29f29c1d83030f9c028c2fc7c4ab045cf8c136c657667d228d90a7fa5edcacd16d29c05636320c2eac028e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ORS647J\jquery-287fd3cff5.xdomainrequest.min[1].js

Filesize
1KB

MD5
0e6315ec561555fac2f641ce98b37b2d

SHA1
89a4e6015ae6e38669e0933885435b05c48c2026

SHA256
3a52f0e331a6226ac42e04468e30ae65a6b87f4a2b02b652aaa451d22dc0bfea

SHA512
c6e5ace92503a4741fc57a50a195ff3954fda65fb10c099f480384e9b6d41f40cfd58a3f1c9c3107c6d3d24bcc1df9c0e5926e8b1410193cc8cdcd772425c906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ORS647J\moment-6e68074f83.min[1].js

Filesize
51KB

MD5
7f5017073004b3affc58fb645d54371c

SHA1
d258f73e023c2dc55e4c1178c3114ef01a1d9d25

SHA256
6de2ca9da9ecfddf0779498458b35a5101b7ff1593943428d1ef98b94bd6da5f

SHA512
8a42ca02e6f315e3adba3bfba9d680b008b544e2ad2996699121c64f1689c8166ec44510903dd9cb0209922e25d513a974c7d79155cca3bb6438e43035f731a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ORS647J\v2.1[1].js

Filesize
5KB

MD5
8e97a482eb5482764aaa5e9188e060a2

SHA1
034f55d1ab7cf587114a625a2e27d132066a369e

SHA256
336a903b083798538479d16736e517626f2b1bd5f267eedc647ecc3f6567d79f

SHA512
f51a8c8ef464ba4b4fd5e3b8f725f5e7b4ec2f14ad02bfa5ae88c531ffcece773791f9f021df37d4bd67b3f6b656d91c10b9b989f9c653d8018e61798848b4ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ORS647J\zjsVer2[1].js

Filesize
89B

MD5
cc3ece610363ae4ee0c0ceaf15080ac4

SHA1
260a7cb1f9ef70450284046fe3a575a63ef5a4b4

SHA256
616e8a2f8ad35da2945dd55f6d0ff528c1b06b8e601d36553dded4c834286ebf

SHA512
1b3410d2537c8d15aa72c6c6af38983c749cb28d16de60253268abaa75f1537702a8a114f248814f9a00682afe400b8fea838ded3d2b54d2b59bfa3eaeaa3fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\base64-5bca38624a.min[1].js

Filesize
884B

MD5
7efb21b001045b0279a5d197e9f0abbf

SHA1
9632328036a7248b6d5c51ab32f1ae8dbafaa9e1

SHA256
251f0f4377d27c4354ff7acb610ba42ae0aeaf3662a0f6202a954dd92c3fe8d8

SHA512
8dbf42fced37d154f4a92ba4df204bc2f4df16eea50d6868cb49eb1144d3ee5d45613a08e0c9d8cc3e892afab190e989a9a5940613cc7fcaf3fd5d902104feab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\cm[1].js

Filesize
110KB

MD5
bc6d7bf0c91935db37b2e5e5df7a223b

SHA1
4dd22c1b25b8be9f6c3a8e178781231ce7c0c278

SHA256
5680b5a04623b12618667649c8a03184206b6008357c49e5a42bbe86188ba7b2

SHA512
12a7b936ce1887ec41d3f30eeb403c867f25f84b2538db1b0359ffd73dd97c7892558647908e2845bfcc733c0bc96f27a0ee40a45e95766aef7f5506cd4a49f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\config_js-a855f84130[1].js

Filesize
650B

MD5
95200ac3afe0c38d67d61f0dee6a776d

SHA1
3802f39988d3cc238c4580448e9d969173554536

SHA256
e47b9d7fe8f939f48b9b693823eda13a334e265eb2ebe9438d7df12b29392f59

SHA512
fb9dd93d28f569d4c30d6160232fe9ed67a02c1160f58240890b92e6f0feaf8837d6da5a1005d292fb1be6cf59ef06acb5868c26e9c9077c08ea9ffdf9c4a07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\f56738faad45f75e6a30208a3709e522[1].jpg

Filesize
1KB

MD5
9986418cccdedf22ec67c308795dc330

SHA1
e794e9c17751fccf47165b28d4a3cc84fff954b0

SHA256
d30fa6a4df513e08aa763e70f4a9dde724b80e0eafdae793679e406cbec345ac

SHA512
93c38e0b0b405bf205e9562f8b11b4152aef71338ccfe23cae9c197fd7d2d3e71bc3b00c8297d4c2b65a7122969d5f7c0bddbfa38f5ff5c7c19f8344c9128658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\input_20210414_v3-4ee6adeb4c[1].js

Filesize
14KB

MD5
a1c9b89e52e3a1d214c2e048f8f05042

SHA1
13b67baab84f282deabd8fa0c3443ac8287f57c7

SHA256
fcf3d1eb02dbc9198422e4464fba6ebf40a35ceeb37656d90e39b40ff5e8437f

SHA512
8625c469ec8c4105f349f27fd3bb513ed99af25fcc073e0833748506def3a177210069d5521c8b17fa3c504ab9b7e6bdd525be752dd71f17c8357ecfd49c6ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\js-a93551cfaf.cookie[1].js

Filesize
2KB

MD5
2c87e7b72f93a02ac2fc932a7302ba88

SHA1
ef4d16ab6fec376774de6f38d459ae135c5ef714

SHA256
4cab65a8301bc49e1e24886da61bc71159e2f29d5f69fe05247550235d55bee7

SHA512
31d3c15e6cbc24608bfeb2e41a5a73b55764a76093948c1335272d5c5395fb478dcb4877ae98fcbbba872b099247c34914da1f2e6ca57a6a27fe729c83899f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\lib-c188d07b15.sentry[1].js

Filesize
59KB

MD5
89677dc62cdb2c95395f47e240dc1839

SHA1
81a7d03ad9127345bc4d9a6b2d3795d74a2a5391

SHA256
90662822cfdf95f11541c1d98089d3114c918b569590b38c6440285757c92e10

SHA512
82b6d0015e09aa26b9f8d1fc2426ad4214ff4eaf26b0a3ac686c2361309c8a4ba98a243630b75872da6b72a6ba300bf205c10de969c51456972a66a65f4d51e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\statistics_report-582d664e37[1].js

Filesize
3KB

MD5
2a6d944b5b3376862d9617ee8f66067b

SHA1
c35f057d287f45ba203442ef7cbc5e079e56ec64

SHA256
2adc3af128f9fcacfc181ff875eccf59f737546c718825fdc4056622e13db750

SHA512
c9ba8620fd34c80f9da4d182ccaa6a4ab0014c938341b2a640e7aa89270248df5ebd5ad6cd54f2fcff96c86b59a5a4dac2b57e136cf42008084df67a5ccf8f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\a4da7793eb103d4536581b8523a802dc[1].png

Filesize
143B

MD5
8645b4a1fafd38a23ea281ad1da426a9

SHA1
218e487a59f418dc49d047774fac8cc2dc8a326a

SHA256
e2cbbc9c25ab15cfcdbe71c575d9b63dc4d76e51c9a072a457efee101a6a850a

SHA512
4f3ca1f468a5df524cbf784da575c362f82f9ee016bfed7d3de42703215fd659b7524e4d5ab4d8383de1695f34acde144e6874534956575370a5314262367f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\abtest_js-7a7017a86d[1].js

Filesize
1KB

MD5
a1e9c5cbf22e9c98260278a8188490bf

SHA1
ccecb0a0225e908c1b3c5167bf1d1df9ca18fe66

SHA256
12efb334b66d191573c05631f4e567c32500512a1015a890960c6b1c90ed94a6

SHA512
734eb82b313ad31accc319ac7dcc4fa573c2d38ef21c26a6c0814c59dbd5feec7c1d2e6f519a756112c7e4b0f09088fbc8495eb81e016bbcac61d0f7946bfb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\baidu_20201208_v3-b4291cb589[1].js

Filesize
19KB

MD5
602718cf968f85ddae7baada446a07fb

SHA1
3df8413995fca0a204f081b3c3bdc7b799cb435a

SHA256
e9c37420d0aab2c071754449cad619c2804ab7edb8da6e3c875c3af26c5cbdf4

SHA512
194b73f888f508358785ede186631decdf2433192de0e2cd173a8c9035b008533e38136c87efb143302a9283ddf40adcf881453bc55c92e1934e55852cb06bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\bd_words_v3_20210817-f18ffa384c[1].js

Filesize
44KB

MD5
af4ec0b9b38314e5cfc8c89f9ab2926d

SHA1
7451a7dab159fa7ed22831b31f70d7c2371e8f37

SHA256
222eea8fcb0a4afa1c270c3baba224a9d2473a2c7e30ed177eec01401b75ec7d

SHA512
252d299d6aee0cfdf5c5054b74b804c2e59940c611d2b7b710acbaa6b16af632baba8485efdadda45f545a1dac46d364f275230cfb8923909eb41bc02f6d6d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\common_js-5e50f6a2ff[1].js

Filesize
65KB

MD5
191c0e443745eb1c62eddcfe9bf9529b

SHA1
b5e3584d2aaa8bfc57d54c7be240646701dace01

SHA256
5f0967800d77fa1fdd502a28b1d3ade38ce8abd664565b9a9f03acc8b897d060

SHA512
ffafbc4386cabe6c59b8c2c9f4900624cd924ed74d48798393d246e1a347bd24ea1e0f183f927cc1e9d0534d3bc98a0e7669e21e91beb4a832316b526ff029f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\e0af0b4365b83c8fdf16475766116d29[1].jpg

Filesize
736B

MD5
6311257254871a33907f51b4e1554205

SHA1
9f6a370c2eb50d1e27dfaa9f3ad0ea3b97804ea7

SHA256
a17d50828773255ff0ad406b35a71ce18b2b9d6907ffbfe6ff40f9777dd75626

SHA512
f30885fd9f3aa5ea6bedb3d8fad97feadfbf67bbd283173b64e5e0eff666a6a952844ca5ccd8e41eb885a0193c84397ec763d1b576b4d2a31474778684058c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\sentry-ab9c6e157e[1].js

Filesize
351B

MD5
fd19690e71165f2188f67f5aa47b2dc9

SHA1
0bf53b11784fe2988270ec15a3d02760e7a4bbf3

SHA256
bc05db7082d9a4d2940f92bf5ec527195153a8e93966c268c662c8d5bb3b876f

SHA512
38c26f8979045b62f45f7f62d60538b5d5101a80bd46e26ed2330030a3059b21c42a140fbb8b553d347da2053db8a4d9e48b71a3b1c74108a01abe7c2b0b0532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\zjsVer2[1].js

Filesize
1KB

MD5
b3aa0921a40e8ab4cab5a73a74d8409b

SHA1
2034cd8a051d86ed1d597513b118f171063a28a7

SHA256
fe9acd64eb23128903ceb0d1bfe678c963145c7026f05337837f95b3ddc5283f

SHA512
c3bc39cd2064a81afa611abf06392491a18f53147904c40d1c4dc39f2016d022a161906b0ac51c8bc3a409e196bd7bd1da0b83a75d3876c03a5a9a38568645f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4R5027PU.txt

Filesize
63B

MD5
23402c0f8ecc7e8c2030727a8412cf0d

SHA1
eee70ddcfa7e6f630aa6bf6318d891ae38477583

SHA256
7127a25e2eb4074265269562d18f8f9441ca9b97c9a754bebf552e5b33fc0d78

SHA512
ad9377641687bc6328b1a35717f5849a7f1bcc7122ef99e9df549a3f984a1b1d13528bfd0cb750a0365f772ab5842c937598fc3a99b98643517e1b9363b59405

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NLKOJJZR.txt

Filesize
62B

MD5
6bbb7a52e2eb88f94e2ff180bb89aaa1

SHA1
509564e73ef03818f734cc1fb8915dc07676b74e

SHA256
4dc738a7f5459ef543f33bc4cc7106f85a03fea7fa04e8bd091dbfe556897571

SHA512
1cb68ea2b221ac7714137aa5b66a457adc237e9cd8597352eb685ccbe7decd200fc578b15739eb86cf9569d2314612f51fd7d977e83a23b67833c3d629956c7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UT7UYFTH.txt

Filesize
77B

MD5
2d3e3cd510adfecc0a49b1c0c578eefe

SHA1
94677eb9219e5fe7c0b7c3feb00f79de91ddb1c8

SHA256
06b2dec47cf92314dc8cbaf3db35afd7b74ff9ecc54cf060bc1f110b50a0daa9

SHA512
07ed7ba02fbb49449b68746c32e1ab26fc7d7a5663a7e02d56bd2433c65f3d8009334d8a90eef8c45b66193c5d21ebe609677f00f38a915f21c65d425f7c67e7

Download Submit
C:\WINDOWS\SysWOW64\svchoppp.exe

Filesize
319KB

MD5
74fbd17e3e84d5ba4038d520dc7b3fa5

SHA1
77bcbe9e4c83111ddb89e1a655662403bc341e5d

SHA256
671b0ed491e43e81a1a7c984e3efa081eefabc55977f0d277dadcc89d368f8e8

SHA512
6d6af9ca1d97c577b84093a15ac2be5c8bee9c700f33fce3507e1849d81fe521937bf438acf4beade14ec6776ea53c2b90a73c1205ccc738e95e2594486e7687

Download Submit
C:\WINDOWS\svchoppp.exe

Filesize
80KB

MD5
2939b4498cf6e8c6991880d270f5d8bc

SHA1
7560996145620a58f4877fa03bcf5c55f6094792

SHA256
c6eae809141147cadf8c345e6033dcc97eb1c2fac72a08531c6004bee0345aa0

SHA512
63f7a62d1844cdd1f8af12af295f0ae84f3310c118344942454a77107b7e3e1a6e8b3303159712c7cb9145ce2f83b2819835664b67ccff0ae2b8ef47af6b0d8b

Download Submit
C:\Windows\SysWOW64\svchoppp.exe

Filesize
319KB

MD5
74fbd17e3e84d5ba4038d520dc7b3fa5

SHA1
77bcbe9e4c83111ddb89e1a655662403bc341e5d

SHA256
671b0ed491e43e81a1a7c984e3efa081eefabc55977f0d277dadcc89d368f8e8

SHA512
6d6af9ca1d97c577b84093a15ac2be5c8bee9c700f33fce3507e1849d81fe521937bf438acf4beade14ec6776ea53c2b90a73c1205ccc738e95e2594486e7687

Download Submit
C:\Windows\svchoppp.exe

Filesize
80KB

MD5
2939b4498cf6e8c6991880d270f5d8bc

SHA1
7560996145620a58f4877fa03bcf5c55f6094792

SHA256
c6eae809141147cadf8c345e6033dcc97eb1c2fac72a08531c6004bee0345aa0

SHA512
63f7a62d1844cdd1f8af12af295f0ae84f3310c118344942454a77107b7e3e1a6e8b3303159712c7cb9145ce2f83b2819835664b67ccff0ae2b8ef47af6b0d8b

Download Submit
C:\kuping_s_33717.exe

Filesize
5.7MB

MD5
133d1f3154b170997b534799e6f323f8

SHA1
443cd5eed8e5b9f7f4b06950aba3a338b95dcf65

SHA256
f6f01dd101dd6342043cae6b67f037aaa0f2341a88af0e975cb2c42d9c4171cc

SHA512
a1fd8d0ebf216539fa87ffd834aebff6a783240506c6555b151dc7d5d7137b260a8519eb1263da696b81ff33554f55ea065f1cb91dda931f952ce3f9bf63f20a

Download Submit
C:\kuping_s_33717.exe

Filesize
5.7MB

MD5
133d1f3154b170997b534799e6f323f8

SHA1
443cd5eed8e5b9f7f4b06950aba3a338b95dcf65

SHA256
f6f01dd101dd6342043cae6b67f037aaa0f2341a88af0e975cb2c42d9c4171cc

SHA512
a1fd8d0ebf216539fa87ffd834aebff6a783240506c6555b151dc7d5d7137b260a8519eb1263da696b81ff33554f55ea065f1cb91dda931f952ce3f9bf63f20a

Download Submit
C:\setups_66_63962.exe

Filesize
16.0MB

MD5
848375bf6c873fdf1a19e5356bd07934

SHA1
6bfd1ea70813e638e58f163faa6d4e2e99d769ed

SHA256
c5d70f4bedf1ea3294a6e173a33662c999575fd680e967a9f84a0d41275ffc6f

SHA512
f91566c125e57714c5406acfcd9c64f02fae0ea21c6f316d0f6503e060bb8f9121f817cbe1136e372f56f8b4c5426b5bc6d1cba8fb9140297b8bba1c20806c6c

Download Submit
C:\setups_66_63962.exe

Filesize
16.0MB

MD5
848375bf6c873fdf1a19e5356bd07934

SHA1
6bfd1ea70813e638e58f163faa6d4e2e99d769ed

SHA256
c5d70f4bedf1ea3294a6e173a33662c999575fd680e967a9f84a0d41275ffc6f

SHA512
f91566c125e57714c5406acfcd9c64f02fae0ea21c6f316d0f6503e060bb8f9121f817cbe1136e372f56f8b4c5426b5bc6d1cba8fb9140297b8bba1c20806c6c

Download Submit
\Program Files\kuping4\SkinCenter.dll

Filesize
458KB

MD5
55b901792502bee075efadf17fd9e8f2

SHA1
b61d0825aed2ad588f2d69f78cffa28da2338c8e

SHA256
972f34fc37b84da2eb0dd96dc48568f2c99884a2511008070fa4b0ecf4a7a4b3

SHA512
234f877283b9432f079aeb3b2908c67a480f74bc323efeb218336d7ce91337236bdcc81da17b1047478f6283eb905388a9d48648d33cb8022e7e88545af060e1

Download Submit
\Program Files\kuping4\kuping_v4.exe

Filesize
1022KB

MD5
7dee0193e01240d2c874eaf7e2fb9ee7

SHA1
ce48ae61c1fcad4d963cc28cb2dd478e07dd436e

SHA256
f04728ab30c0baf07beacbdfa0ca4a227831de35a4d8236bffaf55f56f599fb8

SHA512
ec68050321562d92964c60c5e07118b435bf229d6d589ae927f5a18f860963fccbdb2ce51144033389280a3c92100223163acc548a381b5dadf7b49be53834e2

Download Submit
\Program Files\kuping4\kuping_v4.exe

Filesize
1022KB

MD5
7dee0193e01240d2c874eaf7e2fb9ee7

SHA1
ce48ae61c1fcad4d963cc28cb2dd478e07dd436e

SHA256
f04728ab30c0baf07beacbdfa0ca4a227831de35a4d8236bffaf55f56f599fb8

SHA512
ec68050321562d92964c60c5e07118b435bf229d6d589ae927f5a18f860963fccbdb2ce51144033389280a3c92100223163acc548a381b5dadf7b49be53834e2

Download Submit
\Program Files\kuping4\unrar.dll

Filesize
181KB

MD5
c7c312baea98038c04db09ebf0185818

SHA1
6c06debad557d403b130411fc9c0b9e69f1d641d

SHA256
514526a0ac61cea6027eb39bb28850eaca0dd064285980a6441b4368cc142416

SHA512
8a8fdff07651ce40ba62668c450009813eaaebed863c967c92df1621b1e5fc3247f0a5f25ece7faaeba956bc0d9a2038b0f168cd425a4a8ce24dacd293369351

Download Submit
\Windows\SysWOW64\svchoppp.exe

Filesize
319KB

MD5
74fbd17e3e84d5ba4038d520dc7b3fa5

SHA1
77bcbe9e4c83111ddb89e1a655662403bc341e5d

SHA256
671b0ed491e43e81a1a7c984e3efa081eefabc55977f0d277dadcc89d368f8e8

SHA512
6d6af9ca1d97c577b84093a15ac2be5c8bee9c700f33fce3507e1849d81fe521937bf438acf4beade14ec6776ea53c2b90a73c1205ccc738e95e2594486e7687

Download Submit
\Windows\SysWOW64\svchoppp.exe

Filesize
319KB

MD5
74fbd17e3e84d5ba4038d520dc7b3fa5

SHA1
77bcbe9e4c83111ddb89e1a655662403bc341e5d

SHA256
671b0ed491e43e81a1a7c984e3efa081eefabc55977f0d277dadcc89d368f8e8

SHA512
6d6af9ca1d97c577b84093a15ac2be5c8bee9c700f33fce3507e1849d81fe521937bf438acf4beade14ec6776ea53c2b90a73c1205ccc738e95e2594486e7687

Download Submit
memory/1376-153-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1376-152-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1376-85-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1416-150-0x0000000001F50000-0x0000000001FC4000-memory.dmp

Filesize
464KB

Download
memory/1524-73-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1524-64-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1524-66-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1536-139-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1536-191-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1536-132-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1752-69-0x0000000003D80000-0x0000000003E45000-memory.dmp

Filesize
788KB

Download
memory/1752-138-0x00000000042E0000-0x0000000004410000-memory.dmp

Filesize
1.2MB

Download
memory/1752-71-0x0000000003D80000-0x0000000003E45000-memory.dmp

Filesize
788KB

Download
memory/1752-84-0x0000000004420000-0x0000000004475000-memory.dmp

Filesize
340KB

Download
memory/1752-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1752-55-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1752-131-0x00000000042E0000-0x0000000004410000-memory.dmp

Filesize
1.2MB

Download
memory/1752-125-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1968-72-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1968-126-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2140-158-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2584-164-0x0000000000A80000-0x0000000000AB4000-memory.dmp

Filesize
208KB

Download
memory/2584-168-0x0000000001850000-0x0000000001877000-memory.dmp

Filesize
156KB

Download
memory/2584-174-0x0000000002A10000-0x0000000002A28000-memory.dmp

Filesize
96KB

Download
memory/2584-175-0x0000000002C00000-0x0000000002CA1000-memory.dmp

Filesize
644KB

Download
memory/2584-177-0x0000000003E10000-0x0000000003E49000-memory.dmp

Filesize
228KB

Download
memory/2584-166-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2584-167-0x00000000015B0000-0x00000000015C0000-memory.dmp

Filesize
64KB

Download
memory/2852-187-0x0000000003270000-0x0000000003C25000-memory.dmp

Filesize
9.7MB

Download
memory/2852-185-0x0000000002AE0000-0x0000000002C34000-memory.dmp

Filesize
1.3MB

Download
memory/2852-183-0x00000000006E0000-0x00000000006F1000-memory.dmp

Filesize
68KB

Download
memory/2852-181-0x0000000002000000-0x0000000002702000-memory.dmp

Filesize
7.0MB

Download
memory/2852-190-0x00000000030E0000-0x000000000312F000-memory.dmp

Filesize
316KB

Download
memory/2852-193-0x0000000004490000-0x00000000044EA000-memory.dmp

Filesize
360KB

Download
memory/2852-195-0x00000000044F0000-0x0000000004516000-memory.dmp

Filesize
152KB

Download
memory/2852-198-0x0000000004560000-0x0000000004577000-memory.dmp

Filesize
92KB

Download