0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8

Analysis

max time kernel
151s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe
Size

1.9MB
MD5

42d4763dea91081dc2202ee0e4a4372f
SHA1

eaa8a8b22221fad5ef5aeb440802c4bb4072bcfb
SHA256

0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8
SHA512

7ba9884d68c4346360d2e103b50c0963942a51a7ff0dc9978501f6e39c6f8e4c71c5c316f3057405beb24f83d96b0e305b922375b27ace3a4abbfd4d4ef300b1
SSDEEP

49152:xitV1YKeMH6LQ8iR2acHU1aKKbw9CFRdnozTt9KoQ6nz1:xi1YKNOicacmubhFQzB97z1

Score

10^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\K8Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\K8Shell\ = "{53506455-E799-443f-ADDB-891CA6EFC928}"	regsvr32.exe

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

~GM8DAE.exekua957F.tmpK8GM.exeK8Update.exeK8GM.exeK8Bubble.exeK8Update.exeK8Update.exe

pid process

4820 ~GM8DAE.exe
4668 kua957F.tmp
2484 K8GM.exe
2528 K8Update.exe
1792 K8GM.exe
4364 K8Bubble.exe
3156 K8Update.exe
600 K8Update.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

3732 netsh.exe
2940 netsh.exe
2388 netsh.exe
3460 netsh.exe

pid	process
4820	~GM8DAE.exe
4668	kua957F.tmp
2484	K8GM.exe
2528	K8Update.exe
1792	K8GM.exe
4364	K8Bubble.exe
3156	K8Update.exe
600	K8Update.exe

pid	process
3732	netsh.exe
2940	netsh.exe
2388	netsh.exe
3460	netsh.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\InprocServer32\ = "C:\\Program Files (x86)\\Kuai8\\tool_x64\\K8Shell.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\InprocServer32\ = "C:\\Program Files (x86)\\Kuai8\\tool_x64\\K8ShellIcon.dll"	regsvr32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kua957F.tmpK8GM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	kua957F.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	K8GM.exe

Loads dropped DLL 46 IoCs

Processes:

kua957F.tmpK8GM.exeK8Update.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeK8GM.exeK8Bubble.exeK8Update.exeK8Update.exe

pid	process
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
4668	kua957F.tmp
2484	K8GM.exe
2484	K8GM.exe
2484	K8GM.exe
2484	K8GM.exe
2484	K8GM.exe
2484	K8GM.exe
2484	K8GM.exe
2528	K8Update.exe
2528	K8Update.exe
2528	K8Update.exe
2528	K8Update.exe
2528	K8Update.exe
4804	regsvr32.exe
4140	regsvr32.exe
4872	regsvr32.exe
4860	regsvr32.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
4364	K8Bubble.exe
4364	K8Bubble.exe
4364	K8Bubble.exe
1792	K8GM.exe
1792	K8GM.exe
3156	K8Update.exe
3156	K8Update.exe
3156	K8Update.exe
600	K8Update.exe
600	K8Update.exe
600	K8Update.exe
600	K8Update.exe
600	K8Update.exe
3156	K8Update.exe
3156	K8Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

kua957F.tmp

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kua957F.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kua957F.tmp

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

K8GM.exeK8Update.exeK8Update.exeK8GM.exeK8Update.exeK8Bubble.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	K8GM.exe
File opened for modification	\??\PhysicalDrive0	K8Update.exe
File opened for modification	\??\PhysicalDrive0	K8Update.exe
File opened for modification	\??\PhysicalDrive0	K8GM.exe
File opened for modification	\??\PhysicalDrive0	K8Update.exe
File opened for modification	\??\PhysicalDrive0	K8Bubble.exe

Drops file in Program Files directory 37 IoCs

Processes:

kua957F.tmp

description	ioc	process
File created	C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8DLUtils.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\Uninstall.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8GameShell64.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8External.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8NetDetect.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Shell.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8Browser.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8Web.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8BugReport.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8RestoreWindow.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8UIRender.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8TaskBar.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\msvcp80.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\audio\complete.wav	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\msvcp80.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\msvcr80.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8GameShell32.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8Update.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8Common.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Bubble.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8DLPlatform.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8MiniPage.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\Microsoft.VC80.CRT.manifest	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8ShellIcon.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8GM.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8UIRender.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\K8Version.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8DLUtils.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\msvcr80.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\Microsoft.VC80.CRT.manifest	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Common.dll	kua957F.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Tray.exe	kua957F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~GM8DAE.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\~GM8DAE.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

K8GM.exekua957F.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\K8Web.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yxh.kuai8box.com\ = "63"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\K8MiniPage.exe = "1"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\K8Web.exe = "1"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\K8MiniPage.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\K8MiniPage.exe = "1"	K8GM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8GM.exe = "11000"	kua957F.tmp
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\K8Web.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\K8Web.exe = "1"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation\K8Web.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation\K8MiniPage.exe = "1"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8Web.exe = "11000"	kua957F.tmp
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\K8Web.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\kuai8box.com	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\kuai8box.com\NumberOfSubdomains = "1"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\yxh.kuai8box.com	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\kuai8box.com\Total = "63"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\K8Web.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\K8MiniPage.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\K8MiniPage.exe = "1"	K8GM.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\kuai8box.com	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8Browser.exe = "11000"	kua957F.tmp
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8MiniPage.exe = "11000"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\K8MiniPage.exe = "1"	K8GM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	K8GM.exe

Modifies registry class 32 IoCs

Processes:

regsvr32.exeregsvr32.exekua957F.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\K8Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{92B0B94D-A0F1-4ede-A99D-9A5820E51F61}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\InprocServer32\ = "C:\\Program Files (x86)\\Kuai8\\tool_x64\\K8ShellIcon.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{36BE2460-08C1-44bb-B0B7-8D45FAD1A960}\ = "K8Shell"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\K8Shell\ = "{53506455-E799-443f-ADDB-891CA6EFC928}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\ContextMenuHandlers\K8Shell\ = "{53506455-E799-443f-ADDB-891CA6EFC928}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\AppID = "{92B0B94D-A0F1-4ede-A99D-9A5820E51F61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	kua957F.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{92B0B94D-A0F1-4ede-A99D-9A5820E51F61}\ = "K8ShellIcon"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\K8Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\K8Shell\ = "{53506455-E799-443f-ADDB-891CA6EFC928}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GMShellIcon.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GMShellIcon.DLL\AppID = "{92B0B94D-A0F1-4ede-A99D-9A5820E51F61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\ = "¿ì°ÉÓÎÏ·Ä¿Â¼Í¼±ê"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\K8Shell.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\ = "¿ì°ÉÓÎÏ·ÓÒ¼ü²Ëµ¥À©Õ¹"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\AppID = "{36BE2460-08C1-44bb-B0B7-8D45FAD1A960}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\ContextMenuHandlers\K8Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\K8Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{36BE2460-08C1-44bb-B0B7-8D45FAD1A960}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\K8Shell\ = "{53506455-E799-443f-ADDB-891CA6EFC928}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{379CD200-C191-4f1e-9459-131ACD92130B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\K8Shell.DLL\AppID = "{36BE2460-08C1-44bb-B0B7-8D45FAD1A960}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53506455-E799-443f-ADDB-891CA6EFC928}\InprocServer32\ = "C:\\Program Files (x86)\\Kuai8\\tool_x64\\K8Shell.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

kua957F.tmpK8Update.exeK8GM.exe

pid process

4668 kua957F.tmp
4668 kua957F.tmp
3156 K8Update.exe
3156 K8Update.exe
1792 K8GM.exe
1792 K8GM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exeK8GM.exeK8GM.exe

description	pid	process
Token: SeDebugPrivilege	2100	0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe
Token: SeManageVolumePrivilege	2484	K8GM.exe
Token: SeManageVolumePrivilege	1792	K8GM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

K8GM.exeK8GM.exe

pid process

2484 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

K8GM.exeK8GM.exe

pid process

2484 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
1792 K8GM.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

K8GM.exe

pid process

1792 K8GM.exe
1792 K8GM.exe

pid	process
2484	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe

pid	process
2484	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe
1792	K8GM.exe

pid	process
1792	K8GM.exe
1792	K8GM.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exekua957F.tmpcmd.execmd.execmd.execmd.exeregsvr32.exeregsvr32.exeK8GM.exe

description	pid	process	target process
PID 2100 wrote to memory of 4820	2100	0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe	~GM8DAE.exe
PID 2100 wrote to memory of 4820	2100	0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe	~GM8DAE.exe
PID 2100 wrote to memory of 4820	2100	0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe	~GM8DAE.exe
PID 2100 wrote to memory of 4668	2100	0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe	kua957F.tmp
PID 2100 wrote to memory of 4668	2100	0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe	kua957F.tmp
PID 2100 wrote to memory of 4668	2100	0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe	kua957F.tmp
PID 4668 wrote to memory of 3636	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 3636	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 3636	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 4232	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 4232	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 4232	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 3324	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 3324	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 3324	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 4180	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 4180	4668	kua957F.tmp	cmd.exe
PID 4668 wrote to memory of 4180	4668	kua957F.tmp	cmd.exe
PID 3636 wrote to memory of 3732	3636	cmd.exe	netsh.exe
PID 3636 wrote to memory of 3732	3636	cmd.exe	netsh.exe
PID 3636 wrote to memory of 3732	3636	cmd.exe	netsh.exe
PID 4668 wrote to memory of 2484	4668	kua957F.tmp	K8GM.exe
PID 4668 wrote to memory of 2484	4668	kua957F.tmp	K8GM.exe
PID 4668 wrote to memory of 2484	4668	kua957F.tmp	K8GM.exe
PID 4232 wrote to memory of 2940	4232	cmd.exe	netsh.exe
PID 4232 wrote to memory of 2940	4232	cmd.exe	netsh.exe
PID 4232 wrote to memory of 2940	4232	cmd.exe	netsh.exe
PID 4180 wrote to memory of 3460	4180	cmd.exe	netsh.exe
PID 4180 wrote to memory of 3460	4180	cmd.exe	netsh.exe
PID 4180 wrote to memory of 3460	4180	cmd.exe	netsh.exe
PID 3324 wrote to memory of 2388	3324	cmd.exe	netsh.exe
PID 3324 wrote to memory of 2388	3324	cmd.exe	netsh.exe
PID 3324 wrote to memory of 2388	3324	cmd.exe	netsh.exe
PID 4668 wrote to memory of 2528	4668	kua957F.tmp	K8Update.exe
PID 4668 wrote to memory of 2528	4668	kua957F.tmp	K8Update.exe
PID 4668 wrote to memory of 2528	4668	kua957F.tmp	K8Update.exe
PID 4668 wrote to memory of 4804	4668	kua957F.tmp	regsvr32.exe
PID 4668 wrote to memory of 4804	4668	kua957F.tmp	regsvr32.exe
PID 4668 wrote to memory of 4804	4668	kua957F.tmp	regsvr32.exe
PID 4804 wrote to memory of 4140	4804	regsvr32.exe	regsvr32.exe
PID 4804 wrote to memory of 4140	4804	regsvr32.exe	regsvr32.exe
PID 4668 wrote to memory of 4872	4668	kua957F.tmp	regsvr32.exe
PID 4668 wrote to memory of 4872	4668	kua957F.tmp	regsvr32.exe
PID 4668 wrote to memory of 4872	4668	kua957F.tmp	regsvr32.exe
PID 4872 wrote to memory of 4860	4872	regsvr32.exe	regsvr32.exe
PID 4872 wrote to memory of 4860	4872	regsvr32.exe	regsvr32.exe
PID 4668 wrote to memory of 1792	4668	kua957F.tmp	K8GM.exe
PID 4668 wrote to memory of 1792	4668	kua957F.tmp	K8GM.exe
PID 4668 wrote to memory of 1792	4668	kua957F.tmp	K8GM.exe
PID 4668 wrote to memory of 4364	4668	kua957F.tmp	K8Bubble.exe
PID 4668 wrote to memory of 4364	4668	kua957F.tmp	K8Bubble.exe
PID 4668 wrote to memory of 4364	4668	kua957F.tmp	K8Bubble.exe
PID 1792 wrote to memory of 3156	1792	K8GM.exe	K8Update.exe
PID 1792 wrote to memory of 3156	1792	K8GM.exe	K8Update.exe
PID 1792 wrote to memory of 3156	1792	K8GM.exe	K8Update.exe
PID 1792 wrote to memory of 600	1792	K8GM.exe	K8Update.exe
PID 1792 wrote to memory of 600	1792	K8GM.exe	K8Update.exe
PID 1792 wrote to memory of 600	1792	K8GM.exe	K8Update.exe

C:\Users\Admin\AppData\Local\Temp\0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe
"C:\Users\Admin\AppData\Local\Temp\0a2ef7badaf33ec6c84b75302731e27c85409b616384e6ed91b23629b39754c8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\~GM8DAE.exe
"C:\Users\Admin\AppData\Local\Temp\~GM8DAE.exe"
2⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Local\Temp\kua957F.tmp
C:\Users\Admin\AppData\Local\Temp\kua957F.tmp
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8GM.exe" name="快吧游戏管理器" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8GM.exe" name="快吧游戏管理器" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:3732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8DLPlatform.exe" name="快吧游戏下载平台" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8DLPlatform.exe" name="快吧游戏下载平台" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe" name="快吧运行库检测程序" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe" name="快吧运行库检测程序" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe" name="快吧下载故障检测程序" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe" name="快吧下载故障检测程序" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:3460

C:\Program Files (x86)\Kuai8\K8GM.exe
"C:\Program Files (x86)\Kuai8\K8GM.exe" -update_data
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2484

C:\Program Files (x86)\Kuai8\K8Update.exe
"C:\Program Files (x86)\Kuai8\K8Update.exe" -install
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2528

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll"
4⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4140

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4860

C:\Program Files (x86)\Kuai8\K8GM.exe
"C:\Program Files (x86)\Kuai8\K8GM.exe" -show=3 -atonce
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files (x86)\Kuai8\K8Update.exe
"C:\Program Files (x86)\Kuai8\K8Update.exe" -update -delay=3 -type=1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Program Files (x86)\Kuai8\K8Update.exe
"C:\Program Files (x86)\Kuai8\K8Update.exe" -installrun
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:600

C:\Program Files (x86)\Kuai8\tool\K8Bubble.exe
"C:\Program Files (x86)\Kuai8\tool\K8Bubble.exe" -query_action
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\K8DLPlatform.exe
Filesize
1.9MB

MD5
fbf0dbcabfa89252e91d9c0e958d154f

SHA1
9c987ecb1d15549422f195575e39be170bfdf278

SHA256
2a3155ac36d457d6122e5e7e2cc4213433338c1dec9ac3dc7ae138a7a7c633ce

SHA512
8122e2f8612a25f5a0e6e4b433c8719cba99261ef093e83620cfeb2c8a09fefa66a3eb84efc8863426cc6d657725ed98487357ceab045f4209f947d9769d15b3

Download Submit
C:\Program Files (x86)\Kuai8\K8DLUtils.dll
Filesize
860KB

MD5
9632c62399f6361537a64f341f33e459

SHA1
bf1a075b2410d866043a926945b51056b27c36c6

SHA256
f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723

SHA512
ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f

Download Submit
C:\Program Files (x86)\Kuai8\K8DLUtils.dll
Filesize
860KB

MD5
9632c62399f6361537a64f341f33e459

SHA1
bf1a075b2410d866043a926945b51056b27c36c6

SHA256
f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723

SHA512
ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f

Download Submit
C:\Program Files (x86)\Kuai8\K8DLUtils.dll
Filesize
860KB

MD5
9632c62399f6361537a64f341f33e459

SHA1
bf1a075b2410d866043a926945b51056b27c36c6

SHA256
f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723

SHA512
ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f

Download Submit
C:\Program Files (x86)\Kuai8\K8DLUtils.dll
Filesize
860KB

MD5
9632c62399f6361537a64f341f33e459

SHA1
bf1a075b2410d866043a926945b51056b27c36c6

SHA256
f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723

SHA512
ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f

Download Submit
C:\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
C:\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
C:\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8Update.exe
Filesize
368KB

MD5
95d49848066ab1ccfea86cd300d02dbd

SHA1
17647630d602bb5fa27a8ff5d6fdec9bb786e544

SHA256
62983a47759956dc0dd7b7950caaed0deb63869c2c9849178b7e4700a38f9622

SHA512
81f9d5aa02b838f5e97c3072ec248218e56da92312464e66a0095ba969424b8ac689c05d44d14cf3790a4250786331ed732135c97ce6b2d9964285d8921c7cb9

Download Submit
C:\Program Files (x86)\Kuai8\K8Update.exe
Filesize
368KB

MD5
95d49848066ab1ccfea86cd300d02dbd

SHA1
17647630d602bb5fa27a8ff5d6fdec9bb786e544

SHA256
62983a47759956dc0dd7b7950caaed0deb63869c2c9849178b7e4700a38f9622

SHA512
81f9d5aa02b838f5e97c3072ec248218e56da92312464e66a0095ba969424b8ac689c05d44d14cf3790a4250786331ed732135c97ce6b2d9964285d8921c7cb9

Download Submit
C:\Program Files (x86)\Kuai8\K8Update.exe
Filesize
368KB

MD5
95d49848066ab1ccfea86cd300d02dbd

SHA1
17647630d602bb5fa27a8ff5d6fdec9bb786e544

SHA256
62983a47759956dc0dd7b7950caaed0deb63869c2c9849178b7e4700a38f9622

SHA512
81f9d5aa02b838f5e97c3072ec248218e56da92312464e66a0095ba969424b8ac689c05d44d14cf3790a4250786331ed732135c97ce6b2d9964285d8921c7cb9

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8Bubble.exe
Filesize
196KB

MD5
0940b7c4de82c7281ad93b34a060a465

SHA1
9bb2ad71a06ccc8c839ea1aa022afbad46e5b770

SHA256
412ebc64babf46c938c0ae9f0054b88b31318ae19760b131ae2395daa85845ae

SHA512
fdbcc5f16c3e203f903f5fb72547876717bb19498bd08a8305ad3548bba4c8d633900a4f2428b8456c674456697ffc859a9831011aa1e6c567c045fccedeca5a

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe
Filesize
232KB

MD5
646af4feafbc0726b7f7377b65878984

SHA1
1a89bdb85fcc6f484f9bb392c76ea8703e12d33d

SHA256
8cf9855c67b443a3d3b547a5b7bce6dd7f6f3f7ba340c8d4011fbb0c5e13696a

SHA512
431721177423af50af9c6242f485b48e465b13b3bc3605d36e2d9907a85db11a7b61691296501fc3d77088d1f5bf727d9305a28d0b5eea6b69255cb8ee6a8af0

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe
Filesize
508KB

MD5
ec9b921c5af3bbbde0fc180dab987e59

SHA1
91668a6737716d3b0d302201266cd87e6ec3b91c

SHA256
01b80e06404afdd50d1c7606c171ec7987a12febed064594b591e63ac3918f20

SHA512
c0c8e57ca16bb03f8f2e97e8d654418b31a52ed4e54f8b7309d6c51f579ef07d7832add39d3a8e74a61addc6b411e461e0fffcad721e0a660d163b355829073a

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\tool\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll
Filesize
1.1MB

MD5
ed42649f34d6793a22b07c8100b29565

SHA1
932c9bc65452861bc7d2224085f8ed22a3d71431

SHA256
cfd266e6240fcab22d9dcb6619bd865c817bf087f40dc08589af6df55bc59325

SHA512
95d87a0f357710795b754ce8704b91a410bdd08d29b65dca2f7739f359773c1e7283a607d9209a3749215f82ceba37ddac0f622768afc106b8906c7cfc86b2ba

Download Submit
C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll
Filesize
1.1MB

MD5
ed42649f34d6793a22b07c8100b29565

SHA1
932c9bc65452861bc7d2224085f8ed22a3d71431

SHA256
cfd266e6240fcab22d9dcb6619bd865c817bf087f40dc08589af6df55bc59325

SHA512
95d87a0f357710795b754ce8704b91a410bdd08d29b65dca2f7739f359773c1e7283a607d9209a3749215f82ceba37ddac0f622768afc106b8906c7cfc86b2ba

Download Submit
C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll
Filesize
1.1MB

MD5
ed42649f34d6793a22b07c8100b29565

SHA1
932c9bc65452861bc7d2224085f8ed22a3d71431

SHA256
cfd266e6240fcab22d9dcb6619bd865c817bf087f40dc08589af6df55bc59325

SHA512
95d87a0f357710795b754ce8704b91a410bdd08d29b65dca2f7739f359773c1e7283a607d9209a3749215f82ceba37ddac0f622768afc106b8906c7cfc86b2ba

Download Submit
C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll
Filesize
1.1MB

MD5
e57e46a3edc4f15363ea8a2c06ca0e45

SHA1
34d6769288c1e0ccd4e78076a4135190fcf7cf93

SHA256
a0768ae5db707705bbfebc0d4c272df6390f8fa0dfb0eef19553cf229417c5a7

SHA512
4358e8c148b7814a525772795bad78475e2cd5b4e8493a1b4c94a95558af0f379248a27fb8fd4edef483f23f4e0cf15eb44bfa19162e4576be9f7754317d623f

Download Submit
C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll
Filesize
1.1MB

MD5
e57e46a3edc4f15363ea8a2c06ca0e45

SHA1
34d6769288c1e0ccd4e78076a4135190fcf7cf93

SHA256
a0768ae5db707705bbfebc0d4c272df6390f8fa0dfb0eef19553cf229417c5a7

SHA512
4358e8c148b7814a525772795bad78475e2cd5b4e8493a1b4c94a95558af0f379248a27fb8fd4edef483f23f4e0cf15eb44bfa19162e4576be9f7754317d623f

Download Submit
C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll
Filesize
1.1MB

MD5
e57e46a3edc4f15363ea8a2c06ca0e45

SHA1
34d6769288c1e0ccd4e78076a4135190fcf7cf93

SHA256
a0768ae5db707705bbfebc0d4c272df6390f8fa0dfb0eef19553cf229417c5a7

SHA512
4358e8c148b7814a525772795bad78475e2cd5b4e8493a1b4c94a95558af0f379248a27fb8fd4edef483f23f4e0cf15eb44bfa19162e4576be9f7754317d623f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kua957F.tmp
Filesize
10.9MB

MD5
99f6bee1877dba83d4379de73fcd88f7

SHA1
11ecd3f579c938aa1dafeee0ca3c7cbf8995ffae

SHA256
4ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140

SHA512
61976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kua957F.tmp
Filesize
10.9MB

MD5
99f6bee1877dba83d4379de73fcd88f7

SHA1
11ecd3f579c938aa1dafeee0ca3c7cbf8995ffae

SHA256
4ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140

SHA512
61976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB889.tmp\System.dll
Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GM8DAE.exe
Filesize
1.6MB

MD5
318e9318e52e7c322c3a347cc2af5664

SHA1
8a5c3ef6d9fd5943661bd8533a3284ff2f3cd21c

SHA256
ac6363d9df66bad87ecf688a6934ec1e2e5ac87be73a4a0b4c0a6f57e2504a77

SHA512
cf5037db84ddf9576d323fdea25ce57f49bf3fc8bfdf13f0f6c4c80b0492e60cb96abcf0355726d2564ed7c1e93eb3e0867d6085c9fae25004e2a233e24434cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GM8DAE.exe
Filesize
1.6MB

MD5
318e9318e52e7c322c3a347cc2af5664

SHA1
8a5c3ef6d9fd5943661bd8533a3284ff2f3cd21c

SHA256
ac6363d9df66bad87ecf688a6934ec1e2e5ac87be73a4a0b4c0a6f57e2504a77

SHA512
cf5037db84ddf9576d323fdea25ce57f49bf3fc8bfdf13f0f6c4c80b0492e60cb96abcf0355726d2564ed7c1e93eb3e0867d6085c9fae25004e2a233e24434cb

Download Submit
C:\Users\Admin\AppData\Roaming\Kuai8\data\database.gmx
Filesize
2.6MB

MD5
8cc834b34b663ea0cb2e3aa0ade74eb8

SHA1
d4e8b97e4bd5862bb7b9f2106b8f25b348c82307

SHA256
ac19137c53bc6bb43f22bcb5eab01d8ba042598657f1c6a5f5cb480499d7ebe1

SHA512
b7d3bc7c3b7a1b5ca8a49719e65c0c2199a580cb0dc7d6c9f13e22d4235049522e219b08dbf092aadf53cfecb60b84b0eed82b89f59045141e5a0244ca959156

Download Submit
C:\Users\Admin\AppData\Roaming\Kuai8\data\database.gmx
Filesize
4.0MB

MD5
8bba5164997d8fc210aaa3475624772a

SHA1
0c173046e12f622ef4497f2044e89321a278c6ea

SHA256
b17426c1c3590cf1f820d45e214055a131c133fb5b1be2ca72571ab83f5888be

SHA512
a48177c0c8d9a528b64468a70640f6cec3cd14b9984bcfac5b93be5e51f38f858f6a90130a6f6808ffab33958676fb66e1a1e352d08b04f4f59078018c1cb9d0

Download Submit
C:\Users\Admin\AppData\Roaming\Kuai8\data\plugin\scan.gmx
Filesize
642KB

MD5
d190f1a6943c0aa71c378173aedc8545

SHA1
2bdaa0c1099341b77bcb64c71e4f764a078fe94c

SHA256
ae45c93318620540e89d40800dd2120f6ee4782813c557dae1a8035758d67fd9

SHA512
b068f62420e75f2b04683bc8d752895006b8f21d825e60ce768889103d3513343ea4e045255a941baf51c4326164bbd8989e06a00876ce37b0bf13a8e67217bd

Download Submit
C:\Users\Admin\AppData\Roaming\Kuai8\data\plugin\search.gmx
Filesize
1016B

MD5
b8490c1c39dfb7bc9b998545190c6803

SHA1
5257c23d3915197ac3d84ffc2233adbc5e9f5abf

SHA256
232b7292e81fb2f2a26fe5fed26355d839411172cf09113a0d1c9b741c5ff918

SHA512
0b0221d850d86e5a5ade3ac59f7dbfa53e25183e3ea66e2f11f06bdf85dc01daa9c0c7c344211af155fbf676f3c6ce81f9fb8ba5501ff77fb7a0dff51d4dd7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Kuai8\data\plugin\top.gmx
Filesize
1KB

MD5
0cdb4d571f2ddc52f5fb7936b5ce54bd

SHA1
83351729e5b203f229816747f2679e3e6da7e1ff

SHA256
3b4d8c525dfdf31ae8a02cd22b5042340a18442035648c100b3459e0f710561e

SHA512
cffe12924a95b965c353c4d483059ec32b51fe23c41b15e49bc50a99516edc826ee85678a19f535464c516654564822388acb5939048be9d20d852908e864311

Download Submit
memory/600-233-0x0000000000A91000-0x0000000000A94000-memory.dmp

Filesize
12KB

Download
memory/600-230-0x0000000000000000-mapping.dmp

Download
memory/600-231-0x0000000000820000-0x0000000000934000-memory.dmp

Filesize
1.1MB

Download
memory/1792-207-0x0000000001000000-0x0000000001114000-memory.dmp

Filesize
1.1MB

Download
memory/1792-209-0x0000000001120000-0x00000000011F2000-memory.dmp

Filesize
840KB

Download
memory/1792-200-0x0000000000000000-mapping.dmp

Download
memory/1792-206-0x0000000001001000-0x00000000010B6000-memory.dmp

Filesize
724KB

Download
memory/2388-161-0x0000000000000000-mapping.dmp

Download
memory/2484-153-0x0000000000000000-mapping.dmp

Download
memory/2484-177-0x00000000015A1000-0x00000000015A4000-memory.dmp

Filesize
12KB

Download
memory/2484-165-0x00000000010F0000-0x0000000001204000-memory.dmp

Filesize
1.1MB

Download
memory/2484-168-0x0000000001211000-0x0000000001466000-memory.dmp

Filesize
2.3MB

Download
memory/2484-169-0x0000000001210000-0x0000000001557000-memory.dmp

Filesize
3.3MB

Download
memory/2528-185-0x0000000000940000-0x0000000000A54000-memory.dmp

Filesize
1.1MB

Download
memory/2528-189-0x0000000000AA1000-0x0000000000AA4000-memory.dmp

Filesize
12KB

Download
memory/2528-180-0x0000000000000000-mapping.dmp

Download
memory/2940-158-0x0000000000000000-mapping.dmp

Download
memory/3156-226-0x0000000000000000-mapping.dmp

Download
memory/3156-234-0x0000000000AB1000-0x0000000000AB4000-memory.dmp

Filesize
12KB

Download
memory/3156-228-0x00000000007C0000-0x00000000008D4000-memory.dmp

Filesize
1.1MB

Download
memory/3324-150-0x0000000000000000-mapping.dmp

Download
memory/3460-159-0x0000000000000000-mapping.dmp

Download
memory/3636-148-0x0000000000000000-mapping.dmp

Download
memory/3732-152-0x0000000000000000-mapping.dmp

Download
memory/4140-193-0x0000000000000000-mapping.dmp

Download
memory/4180-151-0x0000000000000000-mapping.dmp

Download
memory/4232-149-0x0000000000000000-mapping.dmp

Download
memory/4364-220-0x00000000008B0000-0x00000000009C4000-memory.dmp

Filesize
1.1MB

Download
memory/4364-211-0x0000000000000000-mapping.dmp

Download
memory/4364-219-0x00000000008B1000-0x0000000000966000-memory.dmp

Filesize
724KB

Download
memory/4668-135-0x0000000000000000-mapping.dmp

Download
memory/4804-190-0x0000000000000000-mapping.dmp

Download
memory/4820-132-0x0000000000000000-mapping.dmp

Download
memory/4860-198-0x0000000000000000-mapping.dmp

Download
memory/4872-195-0x0000000000000000-mapping.dmp

Download