Malware Analysis Report

2025-03-15 06:01

Sample ID 240513-a8t3cagh7z
Target android_root.exe
SHA256 2f400f0b2fe121b8e5b1415a99dfda2f5502b7aa2e7002ef6e464f0d587dba0f
Tags
discovery vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2f400f0b2fe121b8e5b1415a99dfda2f5502b7aa2e7002ef6e464f0d587dba0f

Threat Level: Shows suspicious behavior

The file android_root.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery vmprotect

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 00:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 00:53

Reported

2024-05-13 00:54

Platform

win11-20240426-en

Max time kernel

47s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\android_root.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kingo ROOT\QtWebKit\is-LKJB9.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-EUN8U.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-431GF.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-4LFHJ.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-TOA6A.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-E96QA.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-9L136.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\QtWebKit\is-943QR.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-MT5SU.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-6BMJH.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-8BJB4.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-E5CR5.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-EA85R.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-O3IFI.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-RCJHK.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-07TBS.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-CR36M.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-MTL9B.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-L14M6.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-P90FC.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-VCH0O.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-3S63G.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-G3R7R.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-7VQCM.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-5OPKO.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\Components\is-I7AKD.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\FlashCore\is-0T0MP.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-S15OK.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-M29LN.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-Q6R2R.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-D5G9L.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-F4HN2.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-8VOEK.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-NN0B0.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\setup\setup.exe C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-C95L3.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-7NAFA.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-LPJDF.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-V2A67.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-J6PHH.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-2FK4K.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\FlashCore\is-COMQV.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-2HBTQ.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-U3B5K.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-2GNMQ.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-QRPP3.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-QR4BM.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\Components\is-PV8OM.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-BCHVS.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-LIG0R.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\language\is-B754O.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\sqldrivers\is-6JV30.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-98GA3.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-IH2N6.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-FN8O6.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File opened for modification C:\Program Files (x86)\Kingo ROOT\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\imageformats\is-7IBLR.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-SSNJC.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\is-LCTUK.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\files\is-QC034.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-BU66G.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-BHAGS.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A
File created C:\Program Files (x86)\Kingo ROOT\tools\is-0QDUO.tmp C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A
N/A N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\android_root.exe C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp
PID 2472 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\android_root.exe C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp
PID 2472 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\android_root.exe C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp
PID 3268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3268 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe
PID 3268 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe
PID 3268 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe
PID 3268 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe
PID 3268 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe
PID 3268 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe
PID 4068 wrote to memory of 2844 N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe
PID 4068 wrote to memory of 2844 N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe
PID 4068 wrote to memory of 2844 N/A C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe
PID 2844 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe
PID 2844 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe
PID 2844 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe

Processes

C:\Users\Admin\AppData\Local\Temp\android_root.exe

"C:\Users\Admin\AppData\Local\Temp\android_root.exe"

C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp" /SL5="$B006E,18735503,140800,C:\Users\Admin\AppData\Local\Temp\android_root.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM adb.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM fastboot.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM Kingo Root.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM DLManager.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM feedback.exe /T

C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe

"C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe" /install

C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe

"C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe"

C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe

"C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe" winavi_upd_23128

C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe

"C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe" /install "C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 log.kgmobi.com udp
US 34.209.203.225:443 log.kgmobi.com tcp
US 34.209.203.225:443 log.kgmobi.com tcp
US 104.26.13.219:80 download.kingoapp.com tcp
US 45.33.31.138:80 service.kingoapp.com tcp
US 8.8.8.8:53 138.31.33.45.in-addr.arpa udp

Files

memory/2472-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2472-2-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-P9IAP.tmp\android_root.tmp

MD5 b277e6ac242fcbc37f4d03e1528949c1
SHA1 2602407044a6bad216d3856eaf8fb990e0f1094f
SHA256 9461ae8a13a57c0d8490916dc1e1bb20cb0c171b9852d0846a03c4c4d212f204
SHA512 80d8b934ff63e4a7df3dabb9e6435c2d5ea542624b238be8a27b53c63be8dc244d46d4d9db1950b6d67d91dde12f3d819e7e4453536595d6385c65d2c6bbf5f7

memory/3268-11-0x0000000000400000-0x0000000000526000-memory.dmp

memory/2472-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3268-13-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Program Files (x86)\Kingo ROOT\files\clash_app_en.ini

MD5 50aab05468c22058f31fc418bc1da0bb
SHA1 170380efb54f8d855a8e88bda681102b30baca3f
SHA256 28894a0314300f559c779cd8471c078b75969e0f15c571bb99f20fcbc7b99c84
SHA512 fe70bc890af07d710d7e0e823656bb39474a4a40df70c42639732329c051d674e1f8134894c2a411c46b52b450841abb08a45c1b8d2cb4de7ef8a52293f7bf94

C:\Program Files (x86)\Kingo ROOT\files\checksum

MD5 ef395a0890db1df460f78d621f6491cb
SHA1 d6f1829399c5bbd22d874e33514f6a4a457a831f
SHA256 3c002217af114123bca336e9a2b15d64c1deb823026053eece0689a09aafeb3a
SHA512 6720f745f5c1cef7287ffe16b5b80e756d8af2251e4f0bc01ebfd0a7ed66d8c367a9a419473f2c7955b4fa2b2c177f9adc43d556b2aa3341fc256611974cf679

C:\Program Files (x86)\Kingo ROOT\files\busybox

MD5 7cd9e919c25e5446f2d21fee199e33ba
SHA1 c6d9da3b099f3803068333a19b546d7f887cf7d3
SHA256 9f62497a6ee320fb8e027297610a83231775744ac1e77e5ac30bc48aa041a3b6
SHA512 761e14556624865b3c021b4c1f65ae39259dc094ef9c63da4a4a22c9698bba3c9937c9938ac39d6c6de5f474127b41950d68f5666fb885b880a391e6c8593d3a

C:\Program Files (x86)\Kingo ROOT\files\zs

MD5 e905efb7c80a151bf4b54be8d39c7062
SHA1 294689c542f5dce88bc39c46eccfd67e0b936748
SHA256 98111caeb7325188cd5fe22bd5b62c6921c96cea0278041ef4ccaaef26e43d5f
SHA512 7000cff0dc9728faa5ffd22169fbd56196f200f95c5a282d8b7f3d42c76838994b3ff0ebdf8c41b1e11ae6ef0df3cfe6f84343aa07fa6324525631ae25359136

C:\Program Files (x86)\Kingo ROOT\files\drivers.js.bin

MD5 e5ac7a2894f15d0bbb3be05dae17d750
SHA1 53f737d60f465136f67a60fdf32f5cabf9b6ab88
SHA256 4964a75dea8231e1080ee022ba0f26a4d75fa7e1e5fe39f63f519c36c0f2c10e
SHA512 68b50be848d1805df92dc2dbeaf633bf982fd3d68a61e043e7b36345e09fa1a474923fab1e260135e0473d91b3bfada9cb456713140a06d88990c5aa84041d9c

C:\Program Files (x86)\Kingo ROOT\files\com.kingoapp.link.apk

MD5 7fcb8adf14e9ebb40c7303716ab6bf95
SHA1 e9f96cb226be6a6f0fff3ad3d9be7e15bf212e51
SHA256 086fbe6e46b5fba151385f60c8aea8da919ee49cc61916fb1dab9a34473eb699
SHA512 b5bced43301430179788cc76f992ca804267c4b7a2103dc33b5ed51a8db5c9497941b4dd7b45556c22ad779dee6981fed9002a4a91785a687054e94f95538f4d

C:\Program Files (x86)\Kingo ROOT\Kingo Root.exe

MD5 734996e89cbf94e03dcf6c9d63cd8284
SHA1 5bb245ad977bf57c55ffd6c5c7dc25705417dd41
SHA256 c3d009f1e9f9e175270eb656cdd013bd958d3bdb41df2547f1a4a8deaae48da7
SHA512 e7a79b292421f4260a332f2d077b59e8affeed5e4bed275b26fcbd660436a077cc532a78d35bbf90a26f60ebcbe7e6ffdfcfffb81302c83fbca0aecf326196c6

C:\Program Files (x86)\Kingo ROOT\QtDeclarative4.dll

MD5 db9cb5e8454e360776b3f2b8eee355c1
SHA1 212426797be265698207b65c71b1c530420c8b8c
SHA256 e12579e0349b958a85dd92d1361e25ac6e0830772ef10c39b72a897271db4b6f
SHA512 2cd18f09f73aa50d6f53615862ebbf0e734465f10d82eca8a6e95c486270b37dfcab5781b4cafb7c8da88bf615dd926007b2a738d90c9dc2e1e2696a5b199a7b

C:\Program Files (x86)\Kingo ROOT\QtNetwork4.dll

MD5 e6990fba2c8225a09f1de5c0f33863ff
SHA1 0be501481623784c18feef00c1824650062b554a
SHA256 81efc6eb8569a26fa85889ac79bf42b115b0965ff207c0b290ee2af1c30fc814
SHA512 0102fcacd9efbb2244df752329e2f9e7e8d5240f6b916ecc06689a19e6b5aa78f0174f0a797e6918b820cadbdc4a58d08b09d965fda5449c1c99cad340940cc0

C:\Program Files (x86)\Kingo ROOT\QtXmlPatterns4.dll

MD5 2a5b27a55cbdb0f2a127926a597c6e51
SHA1 63df81ab8d129fe85595596a9c55711978e02ec1
SHA256 856b62c1d277868adfbe5d822a9a014612beb906011b4242c0911ed31160c4fd
SHA512 45947dd942378fece9c55a7f8efee79ac3427d1aa03a59cef6acd50a7a44a1ccf4bbfc8583152f6cd4946452ccfa725f4f27bdefef3fbca6320ec199b11d422d

C:\Program Files (x86)\Kingo ROOT\QtScript4.dll

MD5 34c342cac0dff554aac7d201b99402de
SHA1 51b2d6883cb1ae2d627e3e7b6e5be902f682be4b
SHA256 373f7e1bbc7a4007862b888d0ebbbde84cc4ed1556a8d8014e65d178b55a9582
SHA512 52f1de7597186406568b54b90bf917b90ade8a8d9db8855d46e567fcebac78500a793313eee883699abec61e5aaef54c1a8dee582d1cfaa0029dada90021cc4b

C:\Program Files (x86)\Kingo ROOT\QtGui4.dll

MD5 38bb084ae8c42b72640304ac177c9741
SHA1 29f64132e3a267c402d7adbb723b753e398ecadb
SHA256 45cd314b3d7fa34d3421fbde8435e1cb792f1c6ca889e3c66780c771fc351b34
SHA512 1220e5414993e6e8069f990d8e2a8c9475007a0d0eb18d268f9f61e083da43628c2a1c9f96818fea65ed21c748db910716438e798ca3ff64c64ffe5be03f101d

C:\Program Files (x86)\Kingo ROOT\language\extent_lang_en.qm

MD5 286cb8be803c0fa76a0ae02202afd7e8
SHA1 e0d2c2a355cef07c34d1f2d139fd590df59e04a5
SHA256 22997092e430d4a5df8f73b37063d76304fd8f4fa8c1a127b544f2d2f48234be
SHA512 f882c476add21056b02a0aaf57238679db6092716e30ae45218885a2f48a7929985934cebd77ae894efaa8eaa46e8be73c8eecb538417bb2c5d6a45eaa166aac

C:\Program Files (x86)\Kingo ROOT\language\root_en.qm

MD5 3616ec87f005cf06017511b6c6a0f19f
SHA1 f09b9971304c15e751f7c1d9cb728297bd191613
SHA256 a36a8cff9ef77d4cd69b6e64f70a8569ce8cafa73651d46425c9fc6013ae4400
SHA512 f25246bb18e35c5b2059ee4331c70b7af96b8dc0cb0962d33bc42d74937136ec5353c9a917e53bc00302495e35e0f479a52df4416669d8522ef86af6be95d30f

C:\Program Files (x86)\Kingo ROOT\libeay32.dll

MD5 cdc431592cf71777bb945017e8b2147a
SHA1 82913ba36a31fd522e24bb8065f48757d388b597
SHA256 33a535b5b4c2da096c3dab8e4c57aab16c6c32036f041d55f4dbcf526136a8d4
SHA512 bc04d1f8eac85b1024cbb106a80bac97e6c013db6206298a875a69fe30f729c86e8570d446d3ee4503719647d5a753a00ee405535775801ea1380b3abf38540d

C:\Program Files (x86)\Kingo ROOT\ssleay32.dll

MD5 00400525f3cb1f719c3f021089ba9bcb
SHA1 48286ca3a1d77fa0fce2472f024b1b944f7c4da5
SHA256 9c953e4320059956f1fa08145c4c2cad835e8da4f4f7fca68e68e0c67b693e2c
SHA512 4edc8d0978f81105f6e4a1be12b31b603ad043cb2a7c32607d39350d4fb9db1f9137f9f80521d445a2d57c8b4e098e543a4cdb325e21aa33c02dc11290f17b25

C:\Program Files (x86)\Kingo ROOT\uts.dll

MD5 31f5f22903e085f92657fd18bde1dc53
SHA1 40e12d037a96f40d4881dec85c7ef685dd2ccddd
SHA256 1c75ee0b8a6671d21f62abfacdd4f9be4e92028716a3c00cefe98ecfbbd161a5
SHA512 012c6d19679b68180129908da23a7f3ea332cc0929b753ed8e27b9ddc304b064c33b6076b028e133b8e18313bdaea3782ec0b0d93afdfd909807cd9144e71fa5

C:\Program Files (x86)\Kingo ROOT\Resources

MD5 0cc96c3a1c3bc7154225ec6d7c699668
SHA1 c35cc368045f3dcb21b74b2ef3526326aa420ad4
SHA256 2987c21763b5fd3ad347008a37fded43464235776ca72c5aaea42653d0dab6c6
SHA512 fab5b9beba40191079ae5b66b263b89dc3fc92a9f04d444305916593e530cff2749f385dee19e64c1b3b6aae87c0c041a8b18e3d607b4a3368d1d6b3ea403ae1

C:\Program Files (x86)\Kingo ROOT\msvcp100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

C:\Program Files (x86)\Kingo ROOT\QtSql4.dll

MD5 e301340d95622ce9e446cf8dcad8bc28
SHA1 a6a52ed254d3e46626619e4417bbd225e65edfb8
SHA256 02d3a361f051ce82047da99ff186766dfc7737be6f8c6e5488352542fa799de5
SHA512 7e32e33b2000587d9bb9039fb8256bef0aa0d7d47fa32a4eebac1a8104a94672d13966b15930605d17d549c933b3cab4b880648a28188fc83a235ea5ebbf63c0

C:\Program Files (x86)\Kingo ROOT\QtCore4.dll

MD5 2c033522ce31d24df2286a89543754aa
SHA1 0e97b959f65ef69701ec78cd52aab8f2a37ceab9
SHA256 560f0943fc3c4c62cba7eca27a22c051570b1dd3f5ece016b28af8dba3dd9b4e
SHA512 f9def96807e6b1d4dd99ca2886ee3c3ee98e4a1750e480e83b0e9b659d619497e0f470d2e3b4400e0945e3b1bae2cda89764f4840b7d8b7fcff6bfad85cbcc5c

C:\Program Files (x86)\Kingo ROOT\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

memory/3268-222-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Program Files (x86)\Kingo ROOT\updater.exe

MD5 4d54369ac74b85d5a10965bdead09cb5
SHA1 ef383a24d906d33dad776f9151d4197e19d0321c
SHA256 98f0d8c49872db8f6a1e034a043af24282536aa9424b441f0ff5badd682cd041
SHA512 f274182c8b18b6d3803ef3c631717dc3c0a1cd6d59396f52605fe3d7e2c97efa28f81f4768b7ee248c4d0fcbeb502d12f1068f5a6f48223456fc22849622797b

C:\Program Files (x86)\Kingo ROOT\updater.dll

MD5 59e20cebf858395afd2435c5936f9222
SHA1 95882189f9fba0afae68cf5174f8b4b8cf50fc94
SHA256 18e980ba2180842ea44e08266ac9a26b3e8700b2c8f04f2f5e36e165ada6e17e
SHA512 3f24b40e5e942f303e461708d50c5e52bfae4b9c2e659d221b243a2f26e1fef860f6421fd07b99435ac7b95bf43b1a17633a4ef76c9f7e920a4b75fc7c285454

C:\Program Files (x86)\Kingo ROOT\Components\Components.dll

MD5 ca616d0d6c0aeb8ba98ddb2814c4498c
SHA1 b1a421bd45513a6295a951f0df19861dd57f7aab
SHA256 d81755c05e69b1065ced951aa675ee98f21d03c0f3b7db910098a7790bf60c03
SHA512 d1afe6dad0462281ad31b99461ba5abaf277419f2b54774bd3b8b28d04c70b50eef7d405e0ac1c83b30506d9298c3aa7332641b868a38cf9bf28be481005e876

memory/4068-265-0x0000000072190000-0x0000000072389000-memory.dmp

C:\Program Files (x86)\Kingo ROOT\QtXml4.dll

MD5 df6457f1e82735b503037ef988717dc8
SHA1 6b7d3bdc020d1cf3310b4d56310b2b1d1a4e386e
SHA256 21f8ec0bdc9bbc819ecf9428598b539a61f4c825cc16a294edd677ed17b91fc1
SHA512 62e304204e20f55edb435c5720f8202a5fe1d9138d8af3e2ebb615ef1d00b0e70c4ad889dee0f7357e90ff8fec6b5f47b3ff3f64f77d2e5eb31b3149226bca9a

C:\Program Files (x86)\Kingo ROOT\QtWebKit4.dll

MD5 5a37b0e818b389396de6836061edfd15
SHA1 4327092e593d484dee34d5df0f39e5783f3d4ee9
SHA256 08942a63a94cb963c04231000d2a69b1f8020f87e1f8a8b85225477e0f2fd8b8
SHA512 f85a2e0e1ff08b140ae30cde27d97dcd6a76ec069ac065d3739bdcca0cdfefa3320fddce8220ca875e23da33a05c50232df4542e7bff7b3fdd241b15b4a2547f

memory/4068-279-0x0000000072190000-0x0000000072389000-memory.dmp

memory/4068-267-0x0000000072190000-0x0000000072389000-memory.dmp

memory/4068-266-0x0000000072190000-0x0000000072389000-memory.dmp

C:\Program Files (x86)\Kingo ROOT\FlashCore\FlashCore.dll

MD5 edaa537859df8d9f3aea3f22bc11e2dd
SHA1 83d563407632b19cd5b1e16ffaed9ac2aab3357a
SHA256 fda7f825811e8121a575873efda89628b66e3586d639c1802e41d847d970ce2f
SHA512 255c939dd17d8d9170c4484ccd3fe356d0701503fd2f59bc1cc80c0600530b21b8d7ae986017639fb2ff809ed0dfd6678ba2d82e43792d084fee868cf3707374

C:\Program Files (x86)\Kingo ROOT\FlashCore\qmldir

MD5 67645364c1aec3df1c56cd8f6482e97d
SHA1 c1c894bc79cd97ee333869c6ca96d619494c15e1
SHA256 5304534c0dc32ba5f63a1babe3c75c3e4b01a94ce2d0c5687c386aa129fd9ee4
SHA512 8ea496128144f0f7479629269160d4afef8a72eea67d9a04d6805b1f9b87cde8861a09da532e58bc2da3c77c1e10eb620cd48a1f0531956bc56cc306b6085079

memory/4068-289-0x0000000072190000-0x0000000072389000-memory.dmp

C:\Program Files (x86)\Kingo ROOT\Components\qmldir

MD5 5f02179488a18fa2e74a25421e057cb3
SHA1 ec3a552f045704c004ca404c2ce3dda5cc407a6f
SHA256 0cb2243ff021bf3be717111f771999be93fa583c38abfbb884ccf4975b038f60
SHA512 6c005569a898818f9a9c7e2ed2e76aa3159c401dfabc2dda42ebe2291857e121656c28f206481845f582eaf1917683f82b23fe148945d48b39ed1f74cbdf3591

memory/4068-293-0x0000000071C60000-0x0000000071F5D000-memory.dmp

C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\uts\uts0

MD5 c76a3416e7464f14b65cc2029c6e98f9
SHA1 07c5f6975bdffe75f35ad6d372548a1e52b4a151
SHA256 d63372bd263011fbf3db5422e37864fa6f30057fd624bdbb5a2bacf7fdb49e82
SHA512 6c35724e5b5ec05a08596d7e607f94daf1a220598e0e09ca4e770b2ee16490a1593d243692af12a7ba0e468907391ef25a34ce574aedf169cb5be1ae54879cf7

C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\uts\uts2

MD5 de7f0f8e3f0b8fb94fa3a9c26e23e388
SHA1 208822275fccb196edde642166bd54e49ce2263e
SHA256 d065a5ae1c4131dcc14b08f81801516eead2ee25952db32ada10f03c2f8a00ce
SHA512 43dc173195ad64de92de74b0356e85e598bfacdba29d36c70a84d6cf8f85dafd6525a2f6cd7cb859c2348b6ec7bc0b5470b8799c6c8cbaeca20ada072e08b44b

C:\Users\Admin\AppData\Roaming\Kingosoft\Kingo Root.ini

MD5 8f5659b72ef75417d94d5791ce7f3c0f
SHA1 f18aeffbb32f6b1a872743d86f2a13d8fd18239a
SHA256 93e1cd6642da4e986c5ccfec4eff82775fbb4095a37de7237e3897b4e56e7e24
SHA512 ec7c2a18b29bc1ad2f0dfb58f2539322a9ad71ea4d353ee6e044db3ca175d798d4f49505ff178f58fbd5d5532b125308ed87cbd2b8d409f98a912ab8196a3c5d

memory/4068-294-0x0000000071C60000-0x0000000071F5D000-memory.dmp

C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\uts.ini

MD5 3d9e5c2288b2d69bc892036c78a26438
SHA1 b322edf75fdb8bc9a6e3497c1b6616e9ecd032ae
SHA256 1ca3f8dcdf768084f6c156a1b8233238fefe518cb934f053ce73bc29e4bb4072
SHA512 0bb1df10dceb9b09f4828da4027a8063f3ad9aa888eb058ba5996cc3872127e520c6a087a5a3c7e87cdb060b3dbc70e49b21a0de24aa09836abf005ec746177e

C:\Users\Admin\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\checkupdate.exe

MD5 ec436f6953d09b0ed5ad1912e0afdddd
SHA1 770249a41473c9d736a8f447c7e2a1d9eb7aadef
SHA256 21adc8185098f96353190e3c263d1e3227f876e8368ed7fd54596aee4db11c6d
SHA512 f01938e8a759526d3e60d9a0b4450c8d8fa099459eab2f83f2ccfe72915424e01a17425e4198f3b63e97666e2dc73f899f6c7bd71b559a4df7924b87f75b949f

memory/3268-307-0x0000000000400000-0x0000000000526000-memory.dmp

memory/2472-308-0x0000000000400000-0x000000000042D000-memory.dmp