Analysis
-
max time kernel
208s -
max time network
230s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
Resource
win7-20221111-en
General
-
Target
c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe
-
Size
532KB
-
MD5
0fb6df32fe87a12293c860f9c496d719
-
SHA1
2b6a0e99391879a367c1c9b5e073b80a059bdd21
-
SHA256
c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616
-
SHA512
32d52a542c3dc1eb2b5fd1cfc5ecb4174207ebc26cb9645fa1cce57aeb9081f8ac38a3bd7a723be7df4ec36f0a8209278e34b4025fb32f70a57abdeb4681bab5
-
SSDEEP
12288:InpaODJZfcaxqAiRp6K/dz44hgtMcoaucg:IjqAiGK/9442t5oaW
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
~GM3776.exekua8C69.tmpK8GM.exeK8Update.exepid process 848 ~GM3776.exe 964 kua8C69.tmp 940 K8GM.exe 1452 K8Update.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 1500 netsh.exe 1956 netsh.exe 1732 netsh.exe 1144 netsh.exe -
Loads dropped DLL 25 IoCs
Processes:
c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exekua8C69.tmpK8GM.exeK8Update.exepid process 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 940 K8GM.exe 940 K8GM.exe 940 K8GM.exe 940 K8GM.exe 964 kua8C69.tmp 964 kua8C69.tmp 964 kua8C69.tmp 1452 K8Update.exe 1452 K8Update.exe 1452 K8Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
kua8C69.tmpdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kua8C69.tmp -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
K8GM.exeK8Update.exedescription ioc process File opened for modification \??\PhysicalDrive0 K8GM.exe File opened for modification \??\PhysicalDrive0 K8Update.exe -
Drops file in Program Files directory 37 IoCs
Processes:
kua8C69.tmpdescription ioc process File created C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\msvcr80.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8GameShell64.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8Common.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8GameShell32.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8Common.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8External.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8DLPlatform.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\Microsoft.VC80.CRT.manifest kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8UIRender.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\Microsoft.VC80.CRT.manifest kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool_x64\K8ShellIcon.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8Version.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8TaskBar.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8Shell.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8RestoreWindow.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool_x64\K8Shell.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8ShellIcon.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8Browser.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8Web.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8Update.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\msvcp80.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8DLUtils.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\msvcr80.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8BugReport.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\Uninstall.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8Tray.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8MiniPage.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\audio\complete.wav kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8GM.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8DLUtils.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\K8UIRender.dll kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8Bubble.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\K8NetDetect.exe kua8C69.tmp File created C:\Program Files (x86)\Kuai8\tool\msvcp80.dll kua8C69.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
kua8C69.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION kua8C69.tmp Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main kua8C69.tmp Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl kua8C69.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8GM.exe = "11000" kua8C69.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8Browser.exe = "11000" kua8C69.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\K8Web.exe = "11000" kua8C69.tmp -
Modifies registry class 2 IoCs
Processes:
kua8C69.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache kua8C69.tmp Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings kua8C69.tmp -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
kua8C69.tmppid process 964 kua8C69.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exeK8GM.exedescription pid process Token: SeDebugPrivilege 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe Token: SeManageVolumePrivilege 940 K8GM.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exekua8C69.tmpcmd.execmd.execmd.execmd.exedescription pid process target process PID 1664 wrote to memory of 848 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe ~GM3776.exe PID 1664 wrote to memory of 848 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe ~GM3776.exe PID 1664 wrote to memory of 848 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe ~GM3776.exe PID 1664 wrote to memory of 848 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe ~GM3776.exe PID 1664 wrote to memory of 964 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe kua8C69.tmp PID 1664 wrote to memory of 964 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe kua8C69.tmp PID 1664 wrote to memory of 964 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe kua8C69.tmp PID 1664 wrote to memory of 964 1664 c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe kua8C69.tmp PID 964 wrote to memory of 1052 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 1052 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 1052 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 1052 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 316 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 316 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 316 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 316 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 1844 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 1844 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 1844 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 1844 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 580 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 580 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 580 964 kua8C69.tmp cmd.exe PID 964 wrote to memory of 580 964 kua8C69.tmp cmd.exe PID 1844 wrote to memory of 1732 1844 cmd.exe netsh.exe PID 1844 wrote to memory of 1732 1844 cmd.exe netsh.exe PID 1844 wrote to memory of 1732 1844 cmd.exe netsh.exe PID 1844 wrote to memory of 1732 1844 cmd.exe netsh.exe PID 1052 wrote to memory of 1500 1052 cmd.exe netsh.exe PID 1052 wrote to memory of 1500 1052 cmd.exe netsh.exe PID 1052 wrote to memory of 1500 1052 cmd.exe netsh.exe PID 1052 wrote to memory of 1500 1052 cmd.exe netsh.exe PID 316 wrote to memory of 1144 316 cmd.exe netsh.exe PID 316 wrote to memory of 1144 316 cmd.exe netsh.exe PID 316 wrote to memory of 1144 316 cmd.exe netsh.exe PID 316 wrote to memory of 1144 316 cmd.exe netsh.exe PID 580 wrote to memory of 1956 580 cmd.exe netsh.exe PID 580 wrote to memory of 1956 580 cmd.exe netsh.exe PID 580 wrote to memory of 1956 580 cmd.exe netsh.exe PID 580 wrote to memory of 1956 580 cmd.exe netsh.exe PID 964 wrote to memory of 940 964 kua8C69.tmp K8GM.exe PID 964 wrote to memory of 940 964 kua8C69.tmp K8GM.exe PID 964 wrote to memory of 940 964 kua8C69.tmp K8GM.exe PID 964 wrote to memory of 940 964 kua8C69.tmp K8GM.exe PID 964 wrote to memory of 1452 964 kua8C69.tmp K8Update.exe PID 964 wrote to memory of 1452 964 kua8C69.tmp K8Update.exe PID 964 wrote to memory of 1452 964 kua8C69.tmp K8Update.exe PID 964 wrote to memory of 1452 964 kua8C69.tmp K8Update.exe PID 964 wrote to memory of 1452 964 kua8C69.tmp K8Update.exe PID 964 wrote to memory of 1452 964 kua8C69.tmp K8Update.exe PID 964 wrote to memory of 1452 964 kua8C69.tmp K8Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe"C:\Users\Admin\AppData\Local\Temp\c577114b465fef7b19c0c1cd19c7ecbfee1e3ed5cb108aefbe15226b9a9f8616.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~GM3776.exe"C:\Users\Admin\AppData\Local\Temp\~GM3776.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\kua8C69.tmpC:\Users\Admin\AppData\Local\Temp\kua8C69.tmp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8GM.exe" name="快吧游戏管理器" mode=ENABLE scope=ALL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8GM.exe" name="快吧游戏管理器" mode=ENABLE scope=ALL4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8DLPlatform.exe" name="快吧游戏下载平台" mode=ENABLE scope=ALL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\K8DLPlatform.exe" name="快吧游戏下载平台" mode=ENABLE scope=ALL4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe" name="快吧运行库检测程序" mode=ENABLE scope=ALL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8RTLFix.exe" name="快吧运行库检测程序" mode=ENABLE scope=ALL4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe" name="快吧下载故障检测程序" mode=ENABLE scope=ALL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program="C:\Program Files (x86)\Kuai8\tool\K8PluginFix.exe" name="快吧下载故障检测程序" mode=ENABLE scope=ALL4⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Kuai8\K8GM.exe"C:\Program Files (x86)\Kuai8\K8GM.exe" -update_data3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Kuai8\K8Update.exe"C:\Program Files (x86)\Kuai8\K8Update.exe" -install3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Kuai8\K8Common.dllFilesize
3.3MB
MD5d9e0dcc91cff9421f21b953e5658f451
SHA1325bac769751b6fd82527d86d1d62f8383cbf2a1
SHA2568cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc
SHA5129e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3
-
C:\Program Files (x86)\Kuai8\K8DLUtils.dllFilesize
860KB
MD59632c62399f6361537a64f341f33e459
SHA1bf1a075b2410d866043a926945b51056b27c36c6
SHA256f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723
SHA512ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f
-
C:\Program Files (x86)\Kuai8\K8GM.exeFilesize
6.9MB
MD5dd3248d784e363318e9a08c4f9353981
SHA1e4e81a1e9757c165f57ed2adf310041ce9e93ee2
SHA256e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b
SHA512a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0
-
C:\Program Files (x86)\Kuai8\K8UIRender.dllFilesize
1.1MB
MD5cf856cfedbacc6f4a1bc8a6b2b8d7d7f
SHA1f2d4e4ffec48a86905413e94e5c27e228df311bb
SHA2569ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2
SHA51254e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4
-
C:\Program Files (x86)\Kuai8\K8Update.exeFilesize
368KB
MD595d49848066ab1ccfea86cd300d02dbd
SHA117647630d602bb5fa27a8ff5d6fdec9bb786e544
SHA25662983a47759956dc0dd7b7950caaed0deb63869c2c9849178b7e4700a38f9622
SHA51281f9d5aa02b838f5e97c3072ec248218e56da92312464e66a0095ba969424b8ac689c05d44d14cf3790a4250786331ed732135c97ce6b2d9964285d8921c7cb9
-
C:\Program Files (x86)\Kuai8\K8UrlEncrypt.dllFilesize
45KB
MD57e6bc8d673455e1c8aca65995fc587db
SHA1814ddae0c3f4bb155197b93edc90ee3d2d8225a2
SHA25689922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783
SHA51203e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405
-
C:\Users\Admin\AppData\Local\Temp\kua8C69.tmpFilesize
10.9MB
MD599f6bee1877dba83d4379de73fcd88f7
SHA111ecd3f579c938aa1dafeee0ca3c7cbf8995ffae
SHA2564ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140
SHA51261976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e
-
C:\Users\Admin\AppData\Local\Temp\kua8C69.tmpFilesize
10.9MB
MD599f6bee1877dba83d4379de73fcd88f7
SHA111ecd3f579c938aa1dafeee0ca3c7cbf8995ffae
SHA2564ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140
SHA51261976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e
-
C:\Users\Admin\AppData\Local\Temp\~GM3776.exeFilesize
234KB
MD59e5e2444622dfb7b1230f8d203f881c0
SHA1562d167e0076a098c992d1badd877e2be5115219
SHA256da8e8f094b68ac5b3f350e0f4f61b95f0fa20c785734779ae22a69fc69f8a86a
SHA512985e780be62bd0615b15856ac0e20b3fa5591400e55e83a0d7c5242ef46ca5a4e797d4bdddeb91d247ab97c15cb9b2216bd7c21f9549b2f423dfe55c0e762eb6
-
C:\Users\Admin\AppData\Roaming\Kuai8\data\plugin\top.gmxFilesize
1KB
MD50cdb4d571f2ddc52f5fb7936b5ce54bd
SHA183351729e5b203f229816747f2679e3e6da7e1ff
SHA2563b4d8c525dfdf31ae8a02cd22b5042340a18442035648c100b3459e0f710561e
SHA512cffe12924a95b965c353c4d483059ec32b51fe23c41b15e49bc50a99516edc826ee85678a19f535464c516654564822388acb5939048be9d20d852908e864311
-
\Program Files (x86)\Kuai8\K8Common.dllFilesize
3.3MB
MD5d9e0dcc91cff9421f21b953e5658f451
SHA1325bac769751b6fd82527d86d1d62f8383cbf2a1
SHA2568cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc
SHA5129e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3
-
\Program Files (x86)\Kuai8\K8Common.dllFilesize
3.3MB
MD5d9e0dcc91cff9421f21b953e5658f451
SHA1325bac769751b6fd82527d86d1d62f8383cbf2a1
SHA2568cf8fb3b0398daf38b8797004ea01cc0a3e4edd32a31c9b40a7d1e9d67782cbc
SHA5129e76413e00f6c034307343b4bba4f75003bf4a56a7e7d56777aa5cc6c9f0bc1699ee6d5ac888835224d27bc3490b27239ad39de8c4e0da583e8a9796f9b154e3
-
\Program Files (x86)\Kuai8\K8DLUtils.dllFilesize
860KB
MD59632c62399f6361537a64f341f33e459
SHA1bf1a075b2410d866043a926945b51056b27c36c6
SHA256f7456214786dfdeeeee79c83101f5a00f4ab4c72dadd438b988f9547efae4723
SHA512ee32be1248828dfd32d278b8fea6912a7b8265eaad25e7ca3db7624e05fe3937621bc5e36160691aff3a090cb7346bbf3074ced27c8a16589957ee7a0faee16f
-
\Program Files (x86)\Kuai8\K8GM.exeFilesize
6.9MB
MD5dd3248d784e363318e9a08c4f9353981
SHA1e4e81a1e9757c165f57ed2adf310041ce9e93ee2
SHA256e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b
SHA512a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0
-
\Program Files (x86)\Kuai8\K8GM.exeFilesize
6.9MB
MD5dd3248d784e363318e9a08c4f9353981
SHA1e4e81a1e9757c165f57ed2adf310041ce9e93ee2
SHA256e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b
SHA512a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0
-
\Program Files (x86)\Kuai8\K8GM.exeFilesize
6.9MB
MD5dd3248d784e363318e9a08c4f9353981
SHA1e4e81a1e9757c165f57ed2adf310041ce9e93ee2
SHA256e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b
SHA512a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0
-
\Program Files (x86)\Kuai8\K8GM.exeFilesize
6.9MB
MD5dd3248d784e363318e9a08c4f9353981
SHA1e4e81a1e9757c165f57ed2adf310041ce9e93ee2
SHA256e21342382c664d3c9c3a1180bee8c3289e00fb04ff91072abdfc376d3db6f31b
SHA512a87ce1fa2b9b2e4e4744c5abaf3ffaab4760b61782d79011602abd72f195733aea90412a54e2b551f14ee126916e96a97f216625a82f527d1b3eeeea8a5231f0
-
\Program Files (x86)\Kuai8\K8UIRender.dllFilesize
1.1MB
MD5cf856cfedbacc6f4a1bc8a6b2b8d7d7f
SHA1f2d4e4ffec48a86905413e94e5c27e228df311bb
SHA2569ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2
SHA51254e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4
-
\Program Files (x86)\Kuai8\K8UIRender.dllFilesize
1.1MB
MD5cf856cfedbacc6f4a1bc8a6b2b8d7d7f
SHA1f2d4e4ffec48a86905413e94e5c27e228df311bb
SHA2569ab18f5ba803f3625519945f0814635c789fbb8927728d4f1405439e78bb91c2
SHA51254e6a4a6d5a030f483255bb896d163bbaf47eb60d3e30f6c3b7c9753c236a2db19d27daa4d6d88cdd2ffb181a22842cae39a010f749bf2160400147eda8d3af4
-
\Program Files (x86)\Kuai8\K8Update.exeFilesize
368KB
MD595d49848066ab1ccfea86cd300d02dbd
SHA117647630d602bb5fa27a8ff5d6fdec9bb786e544
SHA25662983a47759956dc0dd7b7950caaed0deb63869c2c9849178b7e4700a38f9622
SHA51281f9d5aa02b838f5e97c3072ec248218e56da92312464e66a0095ba969424b8ac689c05d44d14cf3790a4250786331ed732135c97ce6b2d9964285d8921c7cb9
-
\Program Files (x86)\Kuai8\K8UrlEncrypt.dllFilesize
45KB
MD57e6bc8d673455e1c8aca65995fc587db
SHA1814ddae0c3f4bb155197b93edc90ee3d2d8225a2
SHA25689922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783
SHA51203e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405
-
\Program Files (x86)\Kuai8\K8UrlEncrypt.dllFilesize
45KB
MD57e6bc8d673455e1c8aca65995fc587db
SHA1814ddae0c3f4bb155197b93edc90ee3d2d8225a2
SHA25689922da0fa862c02aa0245f9e75ce76dee6a06c9cd8f7c4f42934dd2adbcf783
SHA51203e720bbfa8848a1def64694c2def70f704f1da5992f36e7490172204610e7a058483dbd93b476ed73356a4ff2e3e65a189ba5980e0c20a64b5c82e663d4a405
-
\Users\Admin\AppData\Local\Temp\kua8C69.tmpFilesize
10.9MB
MD599f6bee1877dba83d4379de73fcd88f7
SHA111ecd3f579c938aa1dafeee0ca3c7cbf8995ffae
SHA2564ec33557cdd2aae2bbac1203e04a21cd9dfa064e5be3fc25d5f86465b514e140
SHA51261976035ecdb3581f088357da4613d4bb0e2e7f1794488fdc49d39f6a4a8dd50e78a7ce70ea7be57ae3a48d49c4b112df715880837bc029630e4cd24ecf5f58e
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\K8NsisMiniExtend.dllFilesize
1.2MB
MD568140a969a4761d3c4edb9622d8e272b
SHA16fdb0891cdc65b17e3446ee61735d44d8866355c
SHA256f75abfc9edd6c57d7d4c64ff66cfa99e46ea79a688ce4f0083d3beb4aa70aab0
SHA51294212839308abd1b29c84531fe31477e017651a36adc320f4eef821c5abd7806ad2a03be0a9ad049a41a895dd6faac8f1621a719b6a2a31b414ba0e5489511c6
-
\Users\Admin\AppData\Local\Temp\nsz5FCF.tmp\System.dllFilesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
\Users\Admin\AppData\Local\Temp\~GM3776.exeFilesize
234KB
MD59e5e2444622dfb7b1230f8d203f881c0
SHA1562d167e0076a098c992d1badd877e2be5115219
SHA256da8e8f094b68ac5b3f350e0f4f61b95f0fa20c785734779ae22a69fc69f8a86a
SHA512985e780be62bd0615b15856ac0e20b3fa5591400e55e83a0d7c5242ef46ca5a4e797d4bdddeb91d247ab97c15cb9b2216bd7c21f9549b2f423dfe55c0e762eb6
-
\Users\Admin\AppData\Local\Temp\~GM3776.exeFilesize
234KB
MD59e5e2444622dfb7b1230f8d203f881c0
SHA1562d167e0076a098c992d1badd877e2be5115219
SHA256da8e8f094b68ac5b3f350e0f4f61b95f0fa20c785734779ae22a69fc69f8a86a
SHA512985e780be62bd0615b15856ac0e20b3fa5591400e55e83a0d7c5242ef46ca5a4e797d4bdddeb91d247ab97c15cb9b2216bd7c21f9549b2f423dfe55c0e762eb6
-
memory/316-77-0x0000000000000000-mapping.dmp
-
memory/580-79-0x0000000000000000-mapping.dmp
-
memory/848-57-0x0000000000000000-mapping.dmp
-
memory/848-60-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/940-97-0x0000000000AF0000-0x0000000000BC2000-memory.dmpFilesize
840KB
-
memory/940-93-0x0000000000230000-0x0000000000344000-memory.dmpFilesize
1.1MB
-
memory/940-86-0x0000000000000000-mapping.dmp
-
memory/964-62-0x0000000000000000-mapping.dmp
-
memory/1052-76-0x0000000000000000-mapping.dmp
-
memory/1144-82-0x0000000000000000-mapping.dmp
-
memory/1452-109-0x0000000000000000-mapping.dmp
-
memory/1452-114-0x0000000000460000-0x0000000000574000-memory.dmpFilesize
1.1MB
-
memory/1500-81-0x0000000000000000-mapping.dmp
-
memory/1664-117-0x0000000000D80000-0x0000000000E3B000-memory.dmpFilesize
748KB
-
memory/1664-58-0x0000000000D80000-0x0000000000E3B000-memory.dmpFilesize
748KB
-
memory/1664-54-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1732-80-0x0000000000000000-mapping.dmp
-
memory/1844-78-0x0000000000000000-mapping.dmp
-
memory/1956-83-0x0000000000000000-mapping.dmp