c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616

Analysis

max time kernel
208s
max time network
230s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
Size

532KB
MD5

0fb6df32fe87a12293c860f9c496d719
SHA1

2b6a0e99391879a367c1c9b5e073b80a059bdd21
SHA256

c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616
SHA512

32d52a542c3dc1eb2b5fd1cfc5ecb4174207ebc26cb9645fa1cce57aeb9081f8ac38a3bd7a723be7df4ec36f0a8209278e34b4025fb32f70a57abdeb4681bab5
SSDEEP

12288:InpaODJZfcaxqAiRp6K/dz44hgtMcoaucg:IjqAiGK/9442t5oaW

Score

8^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

~GM3776.exekua8C69.tmpK8GM.exeK8Update.exe

pid process

848 ~GM3776.exe
964 kua8C69.tmp
940 K8GM.exe
1452 K8Update.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1500 netsh.exe
1956 netsh.exe
1732 netsh.exe
1144 netsh.exe

pid	process
848	~GM3776.exe
964	kua8C69.tmp
940	K8GM.exe
1452	K8Update.exe

pid	process
1500	netsh.exe
1956	netsh.exe
1732	netsh.exe
1144	netsh.exe

Loads dropped DLL 25 IoCs

Processes:

c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exekua8C69.tmpK8GM.exeK8Update.exe

pid	process
1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
940	K8GM.exe
940	K8GM.exe
940	K8GM.exe
940	K8GM.exe
964	kua8C69.tmp
964	kua8C69.tmp
964	kua8C69.tmp
1452	K8Update.exe
1452	K8Update.exe
1452	K8Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

kua8C69.tmp

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kua8C69.tmp
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

K8GM.exeK8Update.exe

description ioc process

File opened for modification \??\PhysicalDrive0 K8GM.exe
File opened for modification \??\PhysicalDrive0 K8Update.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kua8C69.tmp

description	ioc	process
File opened for modification	\??\PhysicalDrive0	K8GM.exe
File opened for modification	\??\PhysicalDrive0	K8Update.exe

Drops file in Program Files directory 37 IoCs

Processes:

kua8C69.tmp

description	ioc	process
File created	C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\msvcr80.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8GameShell64.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8Common.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8GameShell32.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Common.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8External.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8DLPlatform.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\Microsoft.VC80.CRT.manifest	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8UIRender.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\Microsoft.VC80.CRT.manifest	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8Version.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8TaskBar.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Shell.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8RestoreWindow.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8ShellIcon.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8Browser.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8Web.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8Update.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\msvcp80.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8DLUtils.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\msvcr80.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8BugReport.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\Uninstall.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Tray.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8MiniPage.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\audio\complete.wav	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8GM.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8DLUtils.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\K8UIRender.dll	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8Bubble.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\K8NetDetect.exe	kua8C69.tmp
File created	C:\Program Files (x86)\Kuai8\tool\msvcp80.dll	kua8C69.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

kua8C69.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	kua8C69.tmp
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	kua8C69.tmp
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	kua8C69.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8GM.exe = "11000"	kua8C69.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8Browser.exe = "11000"	kua8C69.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8Web.exe = "11000"	kua8C69.tmp

Modifies registry class 2 IoCs

Processes:

kua8C69.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	kua8C69.tmp
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	kua8C69.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

kua8C69.tmp

pid process

964 kua8C69.tmp

pid	process
964	kua8C69.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exeK8GM.exe

description	pid	process
Token: SeDebugPrivilege	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
Token: SeManageVolumePrivilege	940	K8GM.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exekua8C69.tmpcmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 848	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	~GM3776.exe
PID 1664 wrote to memory of 848	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	~GM3776.exe
PID 1664 wrote to memory of 848	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	~GM3776.exe
PID 1664 wrote to memory of 848	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	~GM3776.exe
PID 1664 wrote to memory of 964	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	kua8C69.tmp
PID 1664 wrote to memory of 964	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	kua8C69.tmp
PID 1664 wrote to memory of 964	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	kua8C69.tmp
PID 1664 wrote to memory of 964	1664	c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe	kua8C69.tmp
PID 964 wrote to memory of 1052	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 1052	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 1052	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 1052	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 316	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 316	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 316	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 316	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 1844	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 1844	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 1844	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 1844	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 580	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 580	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 580	964	kua8C69.tmp	cmd.exe
PID 964 wrote to memory of 580	964	kua8C69.tmp	cmd.exe
PID 1844 wrote to memory of 1732	1844	cmd.exe	netsh.exe
PID 1844 wrote to memory of 1732	1844	cmd.exe	netsh.exe
PID 1844 wrote to memory of 1732	1844	cmd.exe	netsh.exe
PID 1844 wrote to memory of 1732	1844	cmd.exe	netsh.exe
PID 1052 wrote to memory of 1500	1052	cmd.exe	netsh.exe
PID 1052 wrote to memory of 1500	1052	cmd.exe	netsh.exe
PID 1052 wrote to memory of 1500	1052	cmd.exe	netsh.exe
PID 1052 wrote to memory of 1500	1052	cmd.exe	netsh.exe
PID 316 wrote to memory of 1144	316	cmd.exe	netsh.exe
PID 316 wrote to memory of 1144	316	cmd.exe	netsh.exe
PID 316 wrote to memory of 1144	316	cmd.exe	netsh.exe
PID 316 wrote to memory of 1144	316	cmd.exe	netsh.exe
PID 580 wrote to memory of 1956	580	cmd.exe	netsh.exe
PID 580 wrote to memory of 1956	580	cmd.exe	netsh.exe
PID 580 wrote to memory of 1956	580	cmd.exe	netsh.exe
PID 580 wrote to memory of 1956	580	cmd.exe	netsh.exe
PID 964 wrote to memory of 940	964	kua8C69.tmp	K8GM.exe
PID 964 wrote to memory of 940	964	kua8C69.tmp	K8GM.exe
PID 964 wrote to memory of 940	964	kua8C69.tmp	K8GM.exe
PID 964 wrote to memory of 940	964	kua8C69.tmp	K8GM.exe
PID 964 wrote to memory of 1452	964	kua8C69.tmp	K8Update.exe
PID 964 wrote to memory of 1452	964	kua8C69.tmp	K8Update.exe
PID 964 wrote to memory of 1452	964	kua8C69.tmp	K8Update.exe
PID 964 wrote to memory of 1452	964	kua8C69.tmp	K8Update.exe
PID 964 wrote to memory of 1452	964	kua8C69.tmp	K8Update.exe
PID 964 wrote to memory of 1452	964	kua8C69.tmp	K8Update.exe
PID 964 wrote to memory of 1452	964	kua8C69.tmp	K8Update.exe

C:\Users\Admin\AppData\Local\Temp\c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
"C:\Users\Admin\AppData\Local\Temp\c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\~GM3776.exe
"C:\Users\Admin\AppData\Local\Temp\~GM3776.exe"
2⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\AppData\Local\Temp\kua8C69.tmp
C:\Users\Admin\AppData\Local\Temp\kua8C69.tmp
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8GM.exe" name="快吧游戏管理器" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8GM.exe" name="快吧游戏管理器" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:1500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8DLPlatform.exe" name="快吧游戏下载平台" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8DLPlatform.exe" name="快吧游戏下载平台" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe" name="快吧运行库检测程序" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe" name="快吧运行库检测程序" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe" name="快吧下载故障检测程序" mode=ENABLE scope=ALL
3⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe" name="快吧下载故障检测程序" mode=ENABLE scope=ALL
4⤵
- Modifies Windows Firewall
PID:1956

C:\Program Files (x86)\Kuai8\K8GM.exe
"C:\Program Files (x86)\Kuai8\K8GM.exe" -update_data
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Program Files (x86)\Kuai8\K8Update.exe
"C:\Program Files (x86)\Kuai8\K8Update.exe" -install
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
C:\Program Files (x86)\Kuai8\K8DLUtils.dll
Filesize
860KB

MD5
9632c62399f6361537a64f341f33e459

SHA1
bf1a075b2410d866043a926945b51056b27c36c6

SHA256
f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723

SHA512
ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f

Download Submit
C:\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
C:\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
C:\Program Files (x86)\Kuai8\K8Update.exe
Filesize
368KB

MD5
95d49848066ab1ccfea86cd300d02dbd

SHA1
17647630d602bb5fa27a8ff5d6fdec9bb786e544

SHA256
62983a47759956dc0dd7b7950caaed0deb63869c2c9849178b7e4700a38f9622

SHA512
81f9d5aa02b838f5e97c3072ec248218e56da92312464e66a0095ba969424b8ac689c05d44d14cf3790a4250786331ed732135c97ce6b2d9964285d8921c7cb9

Download Submit
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
C:\Users\Admin\AppData\Local\Temp\kua8C69.tmp
Filesize
10.9MB

MD5
99f6bee1877dba83d4379de73fcd88f7

SHA1
11ecd3f579c938aa1dafeee0ca3c7cbf8995ffae

SHA256
4ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140

SHA512
61976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kua8C69.tmp
Filesize
10.9MB

MD5
99f6bee1877dba83d4379de73fcd88f7

SHA1
11ecd3f579c938aa1dafeee0ca3c7cbf8995ffae

SHA256
4ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140

SHA512
61976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GM3776.exe
Filesize
234KB

MD5
9e5e2444622dfb7b1230f8d203f881c0

SHA1
562d167e0076a098c992d1badd877e2be5115219

SHA256
da8e8f094b68ac5b3f350e0f4f61b95f0fa20c785734779ae22a69fc69f8a86a

SHA512
985e780be62bd0615b15856ac0e20b3fa5591400e55e83a0d7c5242ef46ca5a4e797d4bdddeb91d247ab97c15cb9b2216bd7c21f9549b2f423dfe55c0e762eb6

Download Submit
C:\Users\Admin\AppData\Roaming\Kuai8\data\plugin\top.gmx
Filesize
1KB

MD5
0cdb4d571f2ddc52f5fb7936b5ce54bd

SHA1
83351729e5b203f229816747f2679e3e6da7e1ff

SHA256
3b4d8c525dfdf31ae8a02cd22b5042340a18442035648c100b3459e0f710561e

SHA512
cffe12924a95b965c353c4d483059ec32b51fe23c41b15e49bc50a99516edc826ee85678a19f535464c516654564822388acb5939048be9d20d852908e864311

Download Submit
\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
\Program Files (x86)\Kuai8\K8Common.dll
Filesize
3.3MB

MD5
d9e0dcc91cff9421f21b953e5658f451

SHA1
325bac769751b6fd82527d86d1d62f8383cbf2a1

SHA256
8cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc

SHA512
9e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3

Download Submit
\Program Files (x86)\Kuai8\K8DLUtils.dll
Filesize
860KB

MD5
9632c62399f6361537a64f341f33e459

SHA1
bf1a075b2410d866043a926945b51056b27c36c6

SHA256
f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723

SHA512
ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f

Download Submit
\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
\Program Files (x86)\Kuai8\K8GM.exe
Filesize
6.9MB

MD5
dd3248d784e363318e9a08c4f9353981

SHA1
e4e81a1e9757c165f57ed2adf310041ce9e93ee2

SHA256
e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b

SHA512
a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0

Download Submit
\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
\Program Files (x86)\Kuai8\K8UIRender.dll
Filesize
1.1MB

MD5
cf856cfedbacc6f4a1bc8a6b2b8d7d7f

SHA1
f2d4e4ffec48a86905413e94e5c27e228df311bb

SHA256
9ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2

SHA512
54e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4

Download Submit
\Program Files (x86)\Kuai8\K8Update.exe
Filesize
368KB

MD5
95d49848066ab1ccfea86cd300d02dbd

SHA1
17647630d602bb5fa27a8ff5d6fdec9bb786e544

SHA256
62983a47759956dc0dd7b7950caaed0deb63869c2c9849178b7e4700a38f9622

SHA512
81f9d5aa02b838f5e97c3072ec248218e56da92312464e66a0095ba969424b8ac689c05d44d14cf3790a4250786331ed732135c97ce6b2d9964285d8921c7cb9

Download Submit
\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
\Program Files (x86)\Kuai8\K8UrlEncrypt.dll
Filesize
45KB

MD5
7e6bc8d673455e1c8aca65995fc587db

SHA1
814ddae0c3f4bb155197b93edc90ee3d2d8225a2

SHA256
89922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783

SHA512
03e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405

Download Submit
\Users\Admin\AppData\Local\Temp\kua8C69.tmp
Filesize
10.9MB

MD5
99f6bee1877dba83d4379de73fcd88f7

SHA1
11ecd3f579c938aa1dafeee0ca3c7cbf8995ffae

SHA256
4ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140

SHA512
61976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dll
Filesize
1.2MB

MD5
68140a969a4761d3c4edb9622d8e272b

SHA1
6fdb0891cdc65b17e3446ee61735d44d8866355c

SHA256
f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0

SHA512
94212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\System.dll
Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\~GM3776.exe
Filesize
234KB

MD5
9e5e2444622dfb7b1230f8d203f881c0

SHA1
562d167e0076a098c992d1badd877e2be5115219

SHA256
da8e8f094b68ac5b3f350e0f4f61b95f0fa20c785734779ae22a69fc69f8a86a

SHA512
985e780be62bd0615b15856ac0e20b3fa5591400e55e83a0d7c5242ef46ca5a4e797d4bdddeb91d247ab97c15cb9b2216bd7c21f9549b2f423dfe55c0e762eb6

Download Submit
\Users\Admin\AppData\Local\Temp\~GM3776.exe
Filesize
234KB

MD5
9e5e2444622dfb7b1230f8d203f881c0

SHA1
562d167e0076a098c992d1badd877e2be5115219

SHA256
da8e8f094b68ac5b3f350e0f4f61b95f0fa20c785734779ae22a69fc69f8a86a

SHA512
985e780be62bd0615b15856ac0e20b3fa5591400e55e83a0d7c5242ef46ca5a4e797d4bdddeb91d247ab97c15cb9b2216bd7c21f9549b2f423dfe55c0e762eb6

Download Submit
memory/316-77-0x0000000000000000-mapping.dmp

Download
memory/580-79-0x0000000000000000-mapping.dmp

Download
memory/848-57-0x0000000000000000-mapping.dmp

Download
memory/848-60-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/940-97-0x0000000000AF0000-0x0000000000BC2000-memory.dmp

Filesize
840KB

Download
memory/940-93-0x0000000000230000-0x0000000000344000-memory.dmp

Filesize
1.1MB

Download
memory/940-86-0x0000000000000000-mapping.dmp

Download
memory/964-62-0x0000000000000000-mapping.dmp

Download
memory/1052-76-0x0000000000000000-mapping.dmp

Download
memory/1144-82-0x0000000000000000-mapping.dmp

Download
memory/1452-109-0x0000000000000000-mapping.dmp

Download
memory/1452-114-0x0000000000460000-0x0000000000574000-memory.dmp

Filesize
1.1MB

Download
memory/1500-81-0x0000000000000000-mapping.dmp

Download
memory/1664-117-0x0000000000D80000-0x0000000000E3B000-memory.dmp

Filesize
748KB

Download
memory/1664-58-0x0000000000D80000-0x0000000000E3B000-memory.dmp

Filesize
748KB

Download
memory/1664-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1732-80-0x0000000000000000-mapping.dmp

Download
memory/1844-78-0x0000000000000000-mapping.dmp

Download
memory/1956-83-0x0000000000000000-mapping.dmp

Download