MD5: 8a3740ff1eea52073cde0db49b0d398f
SHA1: 76974574f739cfbb0d80e2a5db2209f0e950bfa2
SHA256: 5d1b68e7ec358028619d4bd4f8621dfffb8ab1e0991fe5bcbc142832213fcdf5
SSDeep: 6144:SSOw/y4d67EgN0iC1bLY7coVYh4Nf9fG5 UmycGxHLLm4Yw7Ijz:SSOf4TgNJp3YOFNKIycGNvm4J70
Size: 376116 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-21 05:48:12
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

kp4_Mini.exe:660
kuping_v4.exe:600
dwwin.exe:752
getnew.exe:1672
kuping_b_53390.exe:432

The Trojan injects its code into the following process(es):

%original file name%.exe:1196

File activity

The process kp4_Mini.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\kuping4\Universal\UniversalMiniSkin\Mini.ico (1159 bytes)
C:\kuping4\softset.ini (370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_83.tmp (225 bytes)
C:\kuping4\Universal\UniversalMiniSkin\skinconfig.ini (89 bytes)
%Documents and Settings%\%current user%\My Documents\Universal\Universal.ini (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MI_89.tmp (1 bytes)
C:\kuping4\Universal\unrar.dll (185 bytes)
C:\kuping4\Universal\UniversalMiniSkin\默认\ui\mini\bg.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\309d_appcompat.txt (20221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RM_87.tmp (874 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CA_84.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MA_8B.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DI_8D.tmp (1 bytes)
C:\kuping4\Universal\UniversalMiniSkin\默认\ui\mini\close.png (2 bytes)
C:\kuping4\Universal\UniversalMiniSkin\默认\ui\mini\small.png (1 bytes)
C:\kuping4\Universal\UniversalMiniSkin\默认\ui\mini\seach.png (1 bytes)
C:\kuping4\Universal\UniversalMiniSkin\默认\skin.ini (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_86.tmp (213792 bytes)
C:\kuping4\Universal\UniversalMiniSkin\默认\ui\mini\seach-btn.png (1 bytes)
C:\kuping4\Universal\UniversalMiniSkin\默认\ui\mini\logo.png (4 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CA_84.tmp (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\seach.png (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\close.png (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\small.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_86.tmp (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\seach-btn.png (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MI_89.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8A.tmp (0 bytes)
C:\op_83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RM_87.tmp (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\bg.png (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MA_8B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DI_8D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_88.tmp (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\logo.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8E.tmp (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui (0 bytes)
C:\kuping4\Universal\UniversalMiniSkin (0 bytes)

The process kuping_v4.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\kuping4\Update\soft.ini (1714 bytes)
C:\kuping4\softset.ini (736 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_80.tmp (126 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1060 bytes)
C:\kuping4\TempDownLoad\Home\11275.jpg_0 (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9LJNTUH\Liveindex[1].htm (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\81AVK52J\stat[1].php (1163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_81.tmp (2 bytes)
C:\kuping4\Kpclick.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_7F.tmp (631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9LJNTUH\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\81AVK52J\stat[1].gif (43 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DW_81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_7F.tmp (0 bytes)
C:\kuping4\TempDownLoad\Home\11275.jpg_0 (0 bytes)

The process dwwin.exe:752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\11373A.dmp (127725 bytes)

The process getnew.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\kuping4\Update\soft.ini (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_82.tmp (426 bytes)
C:\kuping4\Update\updatelog.ini (31 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DW_82.tmp (0 bytes)

The process %original file name%.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMZG52N\desktop.ini (67 bytes)
%Program Files%\kuping_b_53390.exe (37274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPIRWXAZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9LJNTUH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\81AVK52J\desktop.ini (67 bytes)

The process kuping_b_53390.exe:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\list-screen.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\bg_focus.png (327 bytes)
C:\kuping4\skinConfig\ĬÈÏ\LocalManagement_Layer.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\bg-6.png (210 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\delete.png (486 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\list-mause.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\management.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\computer.png (1568 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\aboutme-text.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\DownloadWebDlg\delete.png (960 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (321 bytes)
C:\kuping4\TempDownLoad\Home\11272.jpg (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\image-bg.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\recover.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\update-button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\button-skin-add.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\CenterDlgConfig\UploadImageLayer.ini (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\tick_fcous.png (714 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\cancel-button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\min.png (338 bytes)
C:\kuping4\TempDownLoad\UserLive\tempfile\userlive.xml (480 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\notice\sure_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\cursor\right.cur (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\feedback\1111.png (199 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\serch-bg.png (161 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\cancel-button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\bg_di.png (306 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\RegisterSkin.ini (693 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¿áÆÁ4\¿áÆÁ4.lnk (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\scroll_block.png (95 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\update.png (556 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\blue.png (307 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\explain.png (559 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\add-app-bg_02.png (523 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\DownloadWebDlg\scroll-bg.png (305 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SkinInfo.ini (19 bytes)
C:\kuping4\TempDownLoad\Home\11276.jpg (392 bytes)
C:\kuping4\kuping_v4.exe (5620 bytes)
C:\kuping4\Kp_BootClry.exe (1137 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\left-bck.png (1 bytes)
C:\kuping4\SystemConfig\setting.ini (255 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\MsgBox_1.ini (729 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\share.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\notice\notice.png (1 bytes)
C:\kuping4\Appsoftconfig\image\clear.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\skin_bg_02.png (791 bytes)
C:\kuping4\UniversalFunction.dll (4840 bytes)
C:\kuping4\Appsoftconfig\image\ielogo.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\login_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\progress\progress_bg.png (283 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\kupingbg-03_01.png (784 bytes)
C:\kuping4\Uninstall\StartMenu.exe (24 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Conventional-set.png (988 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\attention.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\list-icon.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\list-pause.png (669 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\bg-3.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\max.png (157 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\App.png (868 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\x.png (943 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\lijixiufu.png (784 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\bg-2.png (1 bytes)
C:\kuping4\TempDownLoad\StartUp\tempfile\StartUp.xml (784 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\scroll_deck.png (175 bytes)
C:\kuping4\MSGBoxSkin\UI\stop_button.png (1 bytes)
C:\kuping4\Appsoftconfig\image\buttoncmd.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\kp4.2flash_01.png (791 bytes)
C:\kuping4\Update\SkinResource\CheckUpdate.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Default-recovery_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\bg_02.png (4 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\center-line.png (128 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\collection.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig (4 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\bg.png (341 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\theme.png (196 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\Uninstall.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IconListEx\cancel.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\close.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\album.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SettingMenuDlgConfig\UpDateMenu_Layer.ini (1 bytes)
C:\kuping4\MSGBoxSkin\MSGBoxSkin.ini (2 bytes)
C:\kuping4\MSGBoxSkin\UI\delete.png (486 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\list-Screen-saver.png (196 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\bg_02.png (1765 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\mainsub.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\81AVK52J\index[1].htm (750 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\progress.png (107 bytes)
C:\kuping4\skinConfig\ĬÈÏ\MouseNavigation_Layer.ini (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\search.png (681 bytes)
C:\kuping4\KPUpdater.dll (3439 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\smile.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\LZMA.dll (68 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\re-choice.png (371 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\delete.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\help.png (633 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\home.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\list_wallpaper.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\mause.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\lefr_bg.png (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMZG52N\h[1].js (5 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SettingMenuDlgConfig\ApplicationMenu_Layer.ini (3 bytes)
C:\kuping4\QuickenFunctionConfig\Management\status.ini (161 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\mainsub.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\newcreat-bg.png (171 bytes)
C:\kuping4\Update\SkinResource\Minimize.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\Modify-head.png (922 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\progress\iconlist_bg.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\¿áÆÁ4.0flash_02.png (414 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\tick.png (227 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\bg_top.png (984 bytes)
C:\kuping4\skinConfig\ĬÈÏ\CenterDlgConfig\TailorHeadImageLayer.ini (1 bytes)
C:\kuping4\TempDownLoad\Home\11273.jpg (588 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\sure_button.png (1 bytes)
C:\kuping4\KpInstallTheme.exe (1764 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\update-online_botton.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\silent_download.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\newcreat-focus.png (214 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\progress_focus.png (190 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\focus.png (222 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\theme-max.png (1529 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\application\icon_focus.png (483 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\failRefresh.png (382 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\about\logo_s.png (970 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\add.png (392 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (545 bytes)
C:\kuping4\skinConfig\ĬÈÏ\MenuSetConfig.ini (48 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\list-bg.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\MainSkin.ini (697 bytes)
C:\kuping4\Universal\Soft\softset.ini (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\cancel.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\CenterDlgConfig\tag.ini (205 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\kupingbg-03_02.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Personal-center.png (196 bytes)
C:\kuping4\MSGBoxSkin\UI\retry_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\cursor\left.cur (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\tag-line.png (108 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\notMulti.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\help_icon.png (730 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\error.png (544 bytes)
C:\kuping4\Universal\skinConfig.rar (980 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\silder.png (363 bytes)
C:\kuping4\VersionConfig.xml (1060 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\notcheak.png (391 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\feedback\bg.png (1372 bytes)
C:\kuping4\getnew.exe (1960 bytes)
C:\kuping4\SpecialSubject.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\progress\cancel.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\down.png (178 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\SkinCenter.ini (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
C:\kuping4\skinConfig\ĬÈÏ\CenterDlgConfig\MainSkin.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\loading.png (196 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\jindutiao.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\line.png (109 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\reg-btn.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\focus-bg.png (107 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\notchoose.png (879 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\aboutme.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\progress\progress_bg1.png (258 bytes)
C:\kuping4\TempDownLoad\UserLive\version.ini (29 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\application\scroll_thumb.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\install-button.png (1 bytes)
C:\kuping4\QuickenFunctionConfig\Management\ManagementCommerce.xml (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\white.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\skin_bg_03.png (421 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\delete.png (1 bytes)
C:\kuping4\info.ini (16 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\login_bg.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\log-bckhead.png (4 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\tui-chu.png (232 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\application.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\close.png (2 bytes)
C:\kuping4\Appsoftconfig\image\buttonclear.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\delete.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\AppDlgConfig\MainDlgSkin.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\loading.png (2 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\advert.png (980 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\bg_top.png (984 bytes)
C:\kuping4\skinConfig\ĬÈÏ\NoticeDlgSkin.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\line_w.png (91 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\pro.png (338 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\SkinCenterDownload.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\notMulti.png (912 bytes)
C:\kuping4\skinConfig\ĬÈÏ\IconsFolderNavigation_Layer.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\loading.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\delete.png (486 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\myBaoku.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\ImageLook\load.png (3 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\config.153624[1].xml (266 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\install_icon.png (971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_7E.tmp (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\cover.png (109 bytes)
C:\kuping4\TempDownLoad\TagInfo\list_win7.xml (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\title-bg.png (2 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\bg.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\set.png (522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9LJNTUH\stat[1].gif (43 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\ImageLook\bg_nf.png (588 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\download.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\cut_button-ato.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\kankan.png (1921 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\skin.png (629 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\green.png (324 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\bg_01.png (708 bytes)
C:\kuping4\MSGBoxSkin\UI\success.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\choose.png (883 bytes)
C:\kuping4\skinConfig\ĬÈÏ\Login_Layer.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\new-bg.png (274 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\bg-5.png (214 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\news.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\upload_button.png (588 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\progress\progress_bg2.png (182 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\sure_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\bg.png (784 bytes)
C:\kuping4\TempDownLoad\Home\11279.jpg (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\meihua.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\scroll_thumb.png (744 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\page.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\about\sure_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\application\scroll_block.png (763 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\DownloadWebDlg\notice-bg.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\UpdateNetError.ini (633 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\UpdateDownloadPage.ini (592 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\bg1.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\loading2.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\city-about.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\menu_move.png (440 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\Label-input-box.png (258 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\open.png (784 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\uphead.png (1 bytes)
C:\kuping4\QuickenFunctionConfig\home\HomeConfig.xml (1 bytes)
C:\kuping4\TempDownLoad\Home\Homeversion.ini (31 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\yellow.png (298 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\log-bck.png (543 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\danxuan.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\feedback\focus.png (142 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\seach-btn.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\FeedbackDlgConfig\MainFeedbackDlg.ini (879 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\mail.png (263 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\Screen-saver.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\tag_focus.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\WebContro.ini (529 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\logo.png (970 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\function.png (392 bytes)
C:\kuping4\softset.ini (2129 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\install_icon.png (971 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\focus.png (199 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\drop-down.png (338 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\add-app-bg_01.png (974 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\sina_logo.png (638 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\app.png (987 bytes)
C:\kuping4\TempDownLoad\TagInfo\TagVersion.ini (29 bytes)
C:\kuping4\skinConfig\ĬÈÏ\MainSkin.ini (3 bytes)
C:\kuping4\Uninstall\skinConfig_un\skinconfig.ini (85 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\album.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\My-collection.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\begin.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\title-Modify-head.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\gray.png (313 bytes)
C:\kuping4\QuickenFunctionConfig\deskIco\status.ini (16 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\img_01.png (588 bytes)
C:\kuping4\Appsoftconfig\image\play.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\application\iconlist_bg.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\head120.png (1372 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\silder-fill.png (343 bytes)
C:\kuping4\Update\soft.ini (908 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\DownloadWebDlg\set-cancel.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\logo.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IconListEx\icon_focus.png (510 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\bg-1.png (794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\btn_known.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\bg.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\tailorBg.jpg (1764 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\cheak.png (564 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\logo.png (970 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\update.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\orange.png (327 bytes)
C:\kuping4\skinConfig\skinversion.ini (29 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\shuyeer.png (196 bytes)
C:\kuping4\Appsoftconfig\image\buttoncoculation.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ScreenSaverNavigation_Layer.ini (196 bytes)
C:\kuping4\Appsoftconfig\image\soft.xml (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\set_icon.png (782 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\upon.png (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\TongJICNZZ.dll (65 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\UpdateSkin.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPIRWXAZ\h[1].js (5 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\ImageLook\bg_wf.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\delete.png (486 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\feedback\popmenu.png (678 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\check-box_focus.png (991 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\My-share.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\focus-l.png (222 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\about\about.png (1176 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\m.png (3 bytes)
C:\kuping4\MSGBoxSkin\UI\warning.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\¡Ì.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\page2.png (106 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\sure.png (634 bytes)
C:\kuping4\UserBehaviorStatistics.dll (471 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\list_theme.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\logo.png (584 bytes)
C:\kuping4\kp4_Mini.exe (157 bytes)
C:\kuping4\skinConfig\ĬÈÏ\AllApplication_Layer.ini (1 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\input.png (212 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\Label-input-box1.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\continue.png (382 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\delete.png (486 bytes)
C:\kuping4\uninstall.exe (2145 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IconListEx\add-m.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\recover.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\SepLine.png (99 bytes)
C:\kuping4\TempDownLoad\Home\11275.jpg_0 (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\skin_bg_01.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\updown.png (280 bytes)
C:\kuping4\skinConfig\ĬÈÏ\HomePageShow_Layer.ini (3 bytes)
C:\kuping4\Appsoftconfig\APPversion.ini (59 bytes)
C:\kuping4\MSGBoxSkin\UI\faild.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\ImageLook\refresh.png (1 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\seach.png (1 bytes)
C:\kuping4\Update\SkinResource\Exit.png (1 bytes)
C:\kuping4\Appsoftconfig\image\buttonplay.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\UpdateCheckPage.ini (261 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\loading2.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\UpdateInfoPage.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\CenterDlgConfig\MyBaoku.ini (3 bytes)
C:\kuping4\DeskTopPop.exe (1529 bytes)
C:\kuping4\Appsoftconfig\image\sou.png (196 bytes)
C:\kuping4\Update\SkinResource\IsNew.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\Boot-screen.png (196 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\close.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\DownloadWebDlg\scroll.png (410 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\mennu-bg.png (363 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\blue.png (90 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\min.png (338 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\cancel.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\collection.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\feedback\set.png (234 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\nextpage.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\BootScreenNavigation_Layer.ini (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\brown.png (286 bytes)
C:\kuping4\Update\SkinResource\BKStep1.png (902 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\icon.png (392 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SettingMenuDlgConfig\MainMenuDlgSkin.ini (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¿áÆÁ4\жÔØ¿áÆÁ4.lnk (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\progress\progress.png (179 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\save.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SystemThemeNavigation_Layer.ini (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\pink.png (290 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\wallpaper.png (196 bytes)
C:\kuping4\MSGBoxSkin\UI\error.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMZG52N\21[1].gif (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\doc_plus_icon&16.png (264 bytes)
C:\kuping4\unrar.dll (824 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\down.png (161 bytes)
C:\kuping4\Update\SkinResource\ProgressBar.png (984 bytes)
C:\kuping4\QuickenFunctionConfig\deskIco\DeskIconConfig.xml (8 bytes)
C:\kuping4\KPMsgBoxDll.dll (2694 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\feedback_icon.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Silence-set_button.png (1 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\finish2.png (588 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\small.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\focus-2.png (200 bytes)
C:\kuping4\TempDownLoad\Home\11274.jpg (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\delete-button.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\CenterDlgConfig\WebPage.ini (594 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\list-bg.png (96 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\mouse.png (549 bytes)
C:\kuping4\skinConfig\skinconfig.ini (84 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Download-set.png (966 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Multi.png (998 bytes)
C:\kuping4\login.dll (2185 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\right_bg.png (194 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Application-Settings.png (953 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-share\bg.png (196 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\¿áÆÁ4.lnk (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\line_h.png (92 bytes)
C:\kuping4\skinConfig\ĬÈÏ\WebContrl_Layer.ini (775 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ImageLookDlgConfig\MainSkin.ini (129 bytes)
C:\kuping4\TongJICNZZ.dll (1333 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\application.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\scroll_down.png (982 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\black.png (316 bytes)
%Documents and Settings%\%current user%\Desktop\¿áÆÁ4.lnk (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\start.png (941 bytes)
C:\kuping4\dgmon.dll (471 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\Input-box.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\view-bg.png (509 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\ImageLook\fail.png (196 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\lijiuninstall.png (784 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Screening-bg2.png (102 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\Alert.png (1 bytes)
C:\kuping4\Appsoftconfig\image\Iebuttonlogo.png (196 bytes)
C:\kuping4\TempDownLoad\Home\home.xml (1764 bytes)
C:\kuping4\livability.dll (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9LJNTUH\tongji_baidu[1].htm (295 bytes)
C:\kuping4\Update\SkinResource\Fnish.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\fail.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\WebContro.ini (617 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\show.png (413 bytes)
C:\kuping4\Kp_BootClr.exe (1137 bytes)
C:\kuping4\Repairer.exe (549 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\re.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\UpdateNormal.ini (641 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\backpage.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\white.png (283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\bg_small.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\set_1.png (522 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\kupingbg-03_03.png (980 bytes)
C:\kuping4\Appsoftconfig\image\cmd.png (196 bytes)
C:\kuping4\Update\SkinResource\Point.png (1 bytes)
C:\kuping4\BootStart.dll (157 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\cancel.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\add-app-bg_03.png (412 bytes)
C:\kuping4\Universal\UniversalMiniSkin\ĬÈÏ\ui\mini\logo.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\about\delete.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\notice\Alert.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\App-manager.png (654 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\display_shadow.png (115 bytes)
C:\kuping4\Universal\UniversalCpaSkin.rar (1098 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\app-button.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\content.png (416 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\delete.png (486 bytes)
C:\kuping4\MSGBoxSkin\UI\infomation.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\mennu-bg2.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPIRWXAZ\stat[1].php (770 bytes)
C:\kuping4\Appsoftconfig\image\coculation.png (196 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\img.wallba[1].xml (266 bytes)
C:\kuping4\skinConfig\ĬÈÏ\tooltipUi\cut_button-hand.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\headbg.png (556 bytes)
C:\kuping4\skinConfig\ĬÈÏ\DownloadWebImageDlg\MainSkin.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\My-resources.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\about.png (606 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\dan_xuan.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\bg_vein.png (268 bytes)
C:\kuping4\Appsoftconfig\button.xml (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\LocTween_Layer.ini (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\login-btn.png (2 bytes)
C:\kuping4\Update\SkinResource\Cancel.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateNoticeDlg.ini (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\scroll_thumb.png (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (8 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SeverTween_Layer.ini (1 bytes)
C:\kuping4\Update\SkinResource\BKStep2.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\screen.png (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMZG52N\h[2].js (12 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\tip.png (591 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\set.png (549 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\notchoose.png (879 bytes)
C:\kuping4\version.ini (44 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\red.png (318 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\scroll_up.png (927 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\head60.png (392 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\up.png (160 bytes)
C:\kuping4\SystemConfig\LocWallpaleXml.xml (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Software-update.png (998 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\ImageLook\loading.png (3 bytes)
C:\kuping4\Update\UpData.dll (2342 bytes)
C:\kuping4\Update\SkinResource\Update.png (196 bytes)
C:\kuping4\QuickenFunctionConfig\Setup\CpaConfig.xml (8 bytes)
C:\kuping4\skinConfig\ĬÈÏ\newUi\local.png (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\SkinCenter\scroll_block.png (763 bytes)
C:\kuping4\IndividualCenter.dll (5389 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\list-bg2.png (2 bytes)
C:\kuping4\SkinCenter.dll (3635 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\daohang\myDownLoad.png (392 bytes)
C:\kuping4\Kpclick.ini (187 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ResourceNavigation_Layer.ini (974 bytes)
C:\kuping4\MSGBoxSkin\UI\yes_button.png (1 bytes)
C:\kuping4\Appsoftconfig\softtempfile\soft.xml (196 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IconListEx\iconlist_bg.png (314 bytes)
C:\kuping4\Appsoftconfig\image\buttonsou.png (196 bytes)
C:\kuping4\skinConfig\SkinSetting.xml (1 bytes)
C:\kuping4\MSGBoxSkin\UI\question.png (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\UpdateNotice\bkimg.png (429 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\Directory-box_bg.png (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\installedSoftInfo.ini (1952 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\bg-4.png (287 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\feedback\submit.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\81AVK52J\core[1].php (799 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\check-box.png (540 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\flowerpot.png (3 bytes)
C:\kuping4\Update\info.ini (18 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Menu\doc_empty_icon&16.png (293 bytes)
C:\kuping4\Update\UDStatictical.dll (1882 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\slice\choose.png (883 bytes)
C:\kuping4\TempDownLoad\TagInfo\list_xp.xml (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\finish-button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SettingMenuDlgConfig\ConventionalMenu_Layer.ini (1 bytes)
C:\kuping4\KPConfig.inf (3 bytes)
C:\kuping4\Uninstall\installedSoftInfo.ini (984 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\kupingbg-02.png (588 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\Personal-information\share.png (472 bytes)
C:\kuping4\TempDownLoad\Home\11277.jpg (196 bytes)
C:\kuping4\SystemConfig\LocThemeXml.xml (416 bytes)
C:\kuping4\ThemeInstall.dll (863 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\Screening-bg.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\caption-bg.png (417 bytes)
C:\kuping4\MSGBoxSkin\UI\bg_top.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\cheakskin\MainSkin.ini (1 bytes)
C:\kuping4\MSGBoxSkin\UI\cancel-button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\refresh.png (726 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\suspend.png (504 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\tempfile.tmp (184 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\apple.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\DesktopWallpaperNavigation_Layer.ini (196 bytes)
C:\kuping4\Update\SkinResource\PopupBox.png (392 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\tag.png (195 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\kankan.png (1725 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\feedback\delete.png (486 bytes)
C:\kuping4\skinConfig\ĬÈÏ\NoLogin_Layer.ini (941 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\My-resources\use.png (196 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\bg_01.png (392 bytes)
C:\kuping4\TempDownLoad\SearchBuff.ini (23 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\IndivCenter\upload\tag-bg.png (350 bytes)
C:\kuping4\MSGBoxSkin\UI\no_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\color\purple.png (325 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\list\progress_frame.png (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\login\ui\failure.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPIRWXAZ\h[2].js (12 bytes)
C:\kuping4\skinConfig\ĬÈÏ\SettingMenuDlgConfig\DownLoadMenu_Layer.ini (3 bytes)
C:\kuping4\skinConfig\ĬÈÏ\UpdateUi\ui\UpdateSkin\min.png (338 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\xiezai.png (375 bytes)
C:\kuping4\TempDownLoad\Home\11278.jpg (588 bytes)
C:\kuping4\Update\SkinResource\Ok.png (196 bytes)
C:\kuping4\Update\SkinResource\FnishSmall.png (2 bytes)
C:\kuping4\Uninstall\skinConfig_un\ĬÈÏ\ui\Uninstall\mennu_narrow.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\progress\icon_focus.png (317 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\skin.png (629 bytes)
C:\kuping4\Update\Skin.ini (2 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\jindutiao1.png (99 bytes)
C:\kuping4\ExpandPackCheck.exe (1725 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\add-app-bg.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\icon.png (1764 bytes)
C:\kuping4\MSGBoxSkin\UI\ok_button.png (1 bytes)
C:\kuping4\skinConfig\ĬÈÏ\ui\focus3.png (357 bytes)
C:\kuping4\skinConfig\ĬÈÏ\AboutDlgConfig\MainDlg.ini (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\TongJICNZZ.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPIRWXAZ\h[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\www.aaa[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\cancel.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\MsgBox_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMZG52N\h[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\installedSoftInfo.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\bg_small.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\close.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_7E.tmp (0 bytes)
C:\op_7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\LZMA.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KP_7D\skinconfig\ĬÈÏ\ui\msgbox\btn_known.png (0 bytes)

Registry activity

The process kp4_Mini.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F D8 3C 8C 65 7A F7 15 B8 99 C8 26 BE F9 1B 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process kuping_v4.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\kpscrfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCR\kplguifile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\kpthemefile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Kuping]
"InstallPath" = "c:\kuping4\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\kpiconfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,4"

[HKCR\kpthemefile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,1"

[HKCR\kpscrfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\.kprar]
"(Default)" = "kprarfile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\kpscrfile\Shell]
"(Default)" = "Open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\kpcurfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCR\kprarfile]
"(Default)" = "¿áÆÁÖ÷Ìâ×ÊÔ´Îļþ"

[HKCR\kpthemefile\Shell]
"(Default)" = "Open"

[HKCU\Software\Kuping]
"ExcutePath" = "c:\kuping4\kuping_v4.exe"

[HKCR\kpiconfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCR\.kpscr]
"(Default)" = "kpscrfile"

[HKCR\kprarfile\Shell]
"(Default)" = "Open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\kpcurfile]
"(Default)" = "¿áÆÁÊó±êÖ¸Õë×ÊÔ´Îļþ"

[HKCR\kprarfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\kpscrfile]
"(Default)" = "¿áÆÁÆÁ±£×ÊÔ´Îļþ"

[HKCR\kpcurfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,3"

[HKCR\kplguifile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\kpcurfile\Shell]
"(Default)" = "Open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\.kpicon]
"(Default)" = "kpiconfile"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 4A 6E 00 4A 1B 1E BF 0D 09 40 AD 3A 5E E8 C2"

[HKCR\kprarfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Kuping]
"Command" = "install"

[HKCR\.kpcur]
"(Default)" = "kpcurfile"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\kpiconfile\Shell]
"(Default)" = "Open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\kplguifile\Shell]
"(Default)" = "Open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\.kptheme]
"(Default)" = "kpthemefile"

[HKCR\.kplgui]
"(Default)" = "kplguifile"

[HKCR\kpiconfile]
"(Default)" = "¿áÆÁͼ±ê×ÊÔ´Îļþ"

[HKCR\kpthemefile]
"(Default)" = "¿áÆÁÖ÷Ìâ×ÊÔ´Îļþ"

[HKCR\kplguifile]
"(Default)" = "¿áÆÁµÇ¼½çÃæ×ÊÔ´Îļþ"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dwwin.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 8C F2 33 43 FC 68 56 85 49 48 65 96 3D 58 FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process getnew.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 76 70 24 F2 98 09 64 B5 34 01 74 3C 80 48 D2"

The process %original file name%.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC D3 F5 A7 C0 9F 62 53 78 BC 06 19 A7 84 78 61"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process kuping_b_53390.exe:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\.kplgui]
"(Default)" = "kplguifile"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\kpscrfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014060920140610]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KP4]
"DisplayName" = "¿áÆÁ4"

[HKCR\kpcurfile\Shell]
"(Default)" = "Open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014060920140610]
"CachePrefix" = ":2014060920140610:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\kpiconfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\kpscrfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\.kpscr]
"(Default)" = "kpscrfile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\.kptheme]
"(Default)" = "kpthemefile"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216" = "My Computer"

[HKCR\kpcurfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014060920140610]
"CacheOptions" = "11"

[HKCR\.kprar]
"(Default)" = "kprarfile"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014060920140610]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014060920140610\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\kpscrfile\Shell]
"(Default)" = "Open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\kplguifile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KP4]
"URLInfoAbout" = "http://www.wallba.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KP4]
"Publisher" = "»°Óï¿Æ¼¼"

[HKCR\.kpicon]
"(Default)" = "kpiconfile"

[HKCR\kprarfile]
"(Default)" = "Ö÷Ìâ×ÊÔ´Îļþ"

[HKCR\kpthemefile\Shell]
"(Default)" = "Open"

[HKCR\kpiconfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCR\kpthemefile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,1"

[HKCR\kprarfile\Shell]
"(Default)" = "Open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\kpcurfile]
"(Default)" = "Êó±êÖ¸Õë×ÊÔ´Îļþ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\kpscrfile]
"(Default)" = "ÆÁ±£×ÊÔ´Îļþ"

[HKCR\kpcurfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\kplguifile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\kpthemefile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KP4]
"DisplayVersion" = "4.3.1.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 7E 57 FC 86 9A D1 1A 6C 2F 19 C7 48 F1 7A 37"

[HKCR\kprarfile\DefaultIcon]
"(Default)" = "c:\kuping4\kuping_v4.exe,2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KP4]
"UninstallString" = "c:\kuping4\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014060920140610]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\.kpcur]
"(Default)" = "kpcurfile"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\kpiconfile\Shell]
"(Default)" = "Open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\kplguifile\Shell]
"(Default)" = "Open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KP4]
"DisplayIcon" = "c:\kuping4\kuping_v4.exe"

[HKCR\kprarfile\Shell\Open\Command]
"(Default)" = "c:\kuping4\KpInstallTheme.exe %1"

[HKCR\kpiconfile]
"(Default)" = "ͼ±ê×ÊÔ´Îļþ"

[HKCR\kpthemefile]
"(Default)" = "Ö÷Ìâ×ÊÔ´Îļþ"

[HKCR\kplguifile]
"(Default)" = "µÇ¼½çÃæ×ÊÔ´Îļþ"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kuping4" = "c:\kuping4\Kp_BootClr.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"%original file name%.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
88a9b3e31998982eea246b762564c443
b9a2d5732a753d35e5225b719e77099a
37bd3e78933db6863bf17a82eba47c5c
53af0782e080923bfcca86f1cbc7530d

URLs

URL	IP
hxxp://d.union.kuping.cc/download.php/kuping_b_53390.exe	222.186.60.27
hxxp://youqian.baidu.com/download/bdBrowserSetup-5810-ftn_1000039714.exe	115.239.211.50
hxxp://tj.153624.com/report/	101.251.196.27
hxxp://config.153624.com/Public/conf/c-lock/1/1_4_3_2_2/53390.xml	222.186.60.10
hxxp://config.153624.com/Public/tongji_baidu.html?ip=&mac=00-0C-29-64-A0-20&area=&channel_id=53390&install_way=1&soft_id=1&start_way=0&type=install&version=4.3.2.2	222.186.60.10
hxxp://wallba.com.m.01cdn.com/Public/Configs/index.html?id=53390&class=silence
hxxp://c.split.cnzz.com/stat.php?id=4793307&web_id=4793307
hxxp://hm.e.shifen.com/h.js?7e36c4d74dc16bfa27cd9aea154b5de5
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=185766198&si=7e36c4d74dc16bfa27cd9aea154b5de5&st=1&v=1.0.59&lv=1
hxxp://static.n.shifen.com/hmt/icon/21.gif
hxxp://z3.cnzz.com/stat.htm?id=4793307&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=725810708-1402350084-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefinedundefinedundefined&rnd=252340755
hxxp://c.split.cnzz.com/core.php?web_id=4793307&t=z
hxxp://wallba.com.m.01cdn.com/ImagesCache/335x335min/data/Image/2013hjw/3yue/7hao/chbz/19/20133795822390.jpg
hxxp://d.union.kuping.cc/Public/Configs/Functon_version.xml	222.186.60.27
hxxp://hm.e.shifen.com/h.js?00d743cebf532de99c9b8d0cb34f0c40
hxxp://config.153624.com/Public/conf/open/1/1_4_3_2_2/10.jpg	222.186.60.10
hxxp://d.union.kuping.cc/Public/Configs/Liveindex.html?id=53390	222.186.60.27
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=913603030
hxxp://config.153624.com/Public/analysis/motionsendway.xml	222.186.60.10
hxxp://d.union.kuping.cc/Public/Configs/KpLiveControl/53390.xml	222.186.60.27
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=36732087&si=00d743cebf532de99c9b8d0cb34f0c40&st=1&v=1.0.59&lv=1&tt=cnzz统计
hxxp://config.153624.com/1.xml	222.186.60.10
hxxp://pcookie.split.cnzz.com/app.gif?&cna=CRgdDIoZnicCAbhrJiboztvu
hxxp://tj.153624.com/behavior/	101.251.196.27
hxxp://c.split.cnzz.com/stat.php?id=4833416&web_id=4833416
hxxp://config.153624.com/Public/conf/cpa/1/1_4_3_2_2/53390.xml	222.186.60.10
hxxp://c.split.cnzz.com/core.php?web_id=4833416&t=z
hxxp://z9.cnzz.com/stat.htm?id=4833416&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=2021464923-1402350090-&showp=1024x768&st=0&sin=&t=undefinedundefined&rnd=1983988927
hxxp://cc00011.h.cnc.ccgslb.com.cn/1/scheme/53390.xml
hxxp://d.union.kuping.cc/Public/Configs/KpInstall/AnImg.xml	222.186.60.27
hxxp://xnop014.tlgslb.com/Public/Upload/Soft/kptoolbar_b_8.exe
hxxp://d.union.kuping.cc/Public/Configs/KpStartupControl/53390.xml	222.186.60.27
hxxp://config.153624.com/Public/conf/media/1/1_4_3_2_2/53390.xml	222.186.60.10
hxxp://config.153624.com/Public/conf/mini/1/1_4_3_2_2/53390.xml	222.186.60.10
hxxp://config.153624.com/Public/conf/homepage/1/1_4_3_2_2/53390.xml	222.186.60.10
hxxp://config.153624.com/Public/conf/icon/1/1_4_3_2_2/53390.xml	222.186.60.10
hxxp://config.153624.com/Public/conf/bz_pop_xml/1/1_4_3_2_2/53390.xml	222.186.60.10
hxxp://config.wallba.com/Public/Configs/KpInstall/AnImg.xml	222.186.60.27
hxxp://eiv.baidu.com/hmt/icon/21.gif	115.239.211.92
hxxp://img.wallba.com/Public/Configs/index.html?id=53390&class=silence	222.186.60.7
hxxp://hm.baidu.com/h.js?7e36c4d74dc16bfa27cd9aea154b5de5	61.135.185.140
hxxp://pcookie.cnzz.com/app.gif?&cna=CRgdDIoZnicCAbhrJiboztvu	42.120.219.171
hxxp://config.wallba.com/Public/Configs/Functon_version.xml	222.186.60.27
hxxp://hm.baidu.com/h.js?00d743cebf532de99c9b8d0cb34f0c40	61.135.185.140
hxxp://hzs21.cnzz.com/stat.htm?id=4833416&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=2021464923-1402350090-&showp=1024x768&st=0&sin=&t=undefinedundefined&rnd=1983988927	42.156.140.22
hxxp://hzs6.cnzz.com/stat.htm?id=4793307&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=725810708-1402350084-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefinedundefinedundefined&rnd=252340755	42.156.140.16
hxxp://img.kuping.cc/Public/Upload/Soft/kptoolbar_b_8.exe	122.226.163.83
hxxp://img.wallba.com/ImagesCache/335x335min/data/Image/2013hjw/3yue/7hao/chbz/19/20133795822390.jpg	222.186.60.7
hxxp://s4.cnzz.com/stat.php?id=4793307&web_id=4793307	1.99.192.15
hxxp://upgrade.kuping.cc/1/scheme/53390.xml	103.224.232.40
hxxp://c.cnzz.com/core.php?web_id=4833416&t=z	42.120.219.6
hxxp://config.wallba.com/Public/Configs/KpStartupControl/53390.xml	222.186.60.27
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=913603030	42.120.219.171
hxxp://config.wallba.com/Public/Configs/Liveindex.html?id=53390	222.186.60.27
hxxp://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=36732087&si=00d743cebf532de99c9b8d0cb34f0c40&st=1&v=1.0.59&lv=1&tt=cnzz统计	61.135.185.140
hxxp://s21.cnzz.com/stat.php?id=4833416&web_id=4833416	1.99.192.16
hxxp://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=185766198&si=7e36c4d74dc16bfa27cd9aea154b5de5&st=1&v=1.0.59&lv=1	61.135.185.140
hxxp://c.cnzz.com/core.php?web_id=4793307&t=z	42.120.219.6
hxxp://config.wallba.com/Public/Configs/KpLiveControl/53390.xml	222.186.60.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.

Traffic

GET /Public/analysis/motionsendway.xml HTTP/1.1

Host: config.153624.com

Connection: keep-alive 

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0

Accept-Encoding: deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 09 Jun 2014 21:41:28 GMT

Content-Type: text/xml

Content-Length: 126

Last-Modified: Tue, 15 Apr 2014 02:37:17 GMT

Connection: keep-alive

ETag: "534c9b5d-7e"

Accept-Ranges: bytes
<?xml version="1.0" encoding="utf-8"?>..<root>..<data&g
t;...<send_time>0</send_time>...<send_way>1</send
_way>..</data>..</root>....

GET /stat.htm?id=4833416&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=2021464923-1402350090-&showp=1024x768&st=0&sin=&t=undefinedundefined&rnd=1983988927 HTTP/1.1

Accept: */*

Referer: hXXp://config.wallba.com/Public/Configs/Liveindex.html?id=53390

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hzs21.cnzz.com

Connection: Keep-Alive

Cookie: cna=CRgdDIoZnicCAbhrJiboztvu

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Mon, 09 Jun 2014 21:41:31 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..

GET /Public/conf/mini/1/1_4_3_2_2/53390.xml HTTP/1.1

Host: config.153624.com

Connection: keep-alive 

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0

Accept-Encoding: deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 09 Jun 2014 21:41:47 GMT

Content-Type: text/xml

Content-Length: 1008

Last-Modified: Sat, 07 Jun 2014 04:25:05 GMT

Connection: keep-alive

ETag: "53929421-3f0"

Accept-Ranges: bytes
..._..O.K......&.......y.....{.".......g.........<..w .L.Sl.......\
@b..)(7K9......Ha.ymL......[.. Z)E....M<.GFR........%.._w.r...E....
....H....C..`.....M.8/..%9"...<W.(..o.W..U.re.......w...{N.3k......
..Y\v.7I.z.C ........C.fJ.%.l?V?{~(~.$.Q...%H.8.......Q.i.....h@;.b.x.
Au)a1;FM..q...`..t[..J2|'DKsNY|..`.d.:...4..Y.e.V......L..W......K..xe
.}........(".eG...w(...I..#....$ ...oGpk..}4(..a..A..oO..%.*....S. .H.
.PR...l.?...gT...2w.`@..~...w.0'[email protected]..^
P.'..k>.._...VM...-.]...H"t:&5;^wa"...^.... ..5~.......Sb..?"....%.
}.)\.wN..../O:.......wN..../..t~.uR.......4x........I..S.....Vtd?~..].
O.m.."..h.\...V%.2d&...h.....A>......A..=^.{..w/"..FV.?[.}.%Q..f..;
.i.f..;..!)y...;..T....g..\.@*.u.~.&D.O........-L.~...D...........4..]
..r.8.0A..i7...!.M..........-g..?`.K.9....-.yF<..s.p..i(0........oC
a..j:M..:}C:.J......h...Z..L}......;.[.n.T...].C.........e..H.F..a..oe
SwN[..y..R.Y...L]........)6..nF.I..I.... l...d~.......ZW.}...C...W..%.
....o.j1.s.UQ.t.....=..).N.....v....KP....k.....

GET /Public/tongji_baidu.html?ip=&mac=00-0C-29-64-A0-20&area=&channel_id=53390&install_way=1&soft_id=1&start_way=0&type=install&version=4.3.2.2 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: config.153624.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 09 Jun 2014 21:41:23 GMT

Content-Type: text/html

Content-Length: 295

Last-Modified: Tue, 15 Apr 2014 02:37:16 GMT

Connection: keep-alive

ETag: "534c9b5c-127"

Accept-Ranges: bytes
<script type="text/javascript">..var _bdhmProtocol = (("https:" 
== document.location.protocol) ? " hXXps://" : " hXXp://");..document.
write(unescape("