Malware Analysis Report

2024-09-23 17:17

Sample ID 240506-fz83ssdd43
Target 7f4c6298eba5e97b28b3af2012fa43b5a9594a49bdd7d962c9ccc20f135979f3
SHA256 7f4c6298eba5e97b28b3af2012fa43b5a9594a49bdd7d962c9ccc20f135979f3
Tags
qr link upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7f4c6298eba5e97b28b3af2012fa43b5a9594a49bdd7d962c9ccc20f135979f3

Threat Level: Shows suspicious behavior

The file 7f4c6298eba5e97b28b3af2012fa43b5a9594a49bdd7d962c9ccc20f135979f3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

qr link upx

Executes dropped EXE

UPX packed file

Loads dropped DLL

AutoIT Executable

Drops file in Windows directory

Unsigned PE

One or more HTTP URLs in qr code identified

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NTFS ADS

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-06 05:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 05:19

Reported

2024-05-06 05:22

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\!果核剥壳 - 全网更新最快.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\!果核剥壳 - 全网更新最快.url"

Network

N/A

Files

memory/1244-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 05:19

Reported

2024-05-06 05:22

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

149s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\!果核剥壳 - 全网更新最快.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\!果核剥壳 - 全网更新最快.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-06 05:19

Reported

2024-05-06 05:22

Platform

win7-20240215-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
N/A N/A C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\_temp_heu168yyds\pic\smart-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB3.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x64\cleanospp.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\17-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\ewm_wx.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\23-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\4-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Close.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Over.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Renewal-Close2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Renewal.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x64 C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\19-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\xml\HEU_KMS_Renewal.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\7-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\TAB4.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\2-3.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\2-3.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\21-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Color.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Min.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\head.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\12-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\17-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\skin.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Setting.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\skin.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\7-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\left.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\files.7z C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP\OSPP.VBS C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\15-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\20-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\22-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\24-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK2.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Down.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\OtherOfficeOSPP\slerror.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\15-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\xml\wim.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\ewm_gzh.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\left.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\3-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\About.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK4.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK4.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\x86\kms.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\18-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\23-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\logo.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x86\kms.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\OtherOfficeOSPP C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\17-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\2-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\update.ico C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\TAB1.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\Office2010OSPP\OSPP.VBS C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK5.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Min.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Renewal-Close1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\smart-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\TAB5.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\winmgmts:\root\CIMV2 C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: 35 N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe"

C:\Windows\_temp_heu168yyds\7Z.EXE

"C:\Windows\_temp_heu168yyds\7Z.EXE" x "C:\Windows\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Windows\_temp_heu168yyds"

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

Network

N/A

Files

memory/2912-5-0x0000000000B30000-0x0000000001486000-memory.dmp

C:\Windows\_temp_heu168yyds\KMSmini.7z

MD5 51253533f4cd37185e28d5e6fdfba9cd
SHA1 8f1a2fd07128186f8234d6fbeb8cd23f1b59cef8
SHA256 9214c18fd93adfb220d15d6f7fb12a0bc8cd5b40546575a6354f7cf92a12a1b6
SHA512 cc9c9867618ca8ae5aa78ca8781af60adbece13ce3aa4fe7bd7181618854e2a0206e3b94233c2766963a7e01aae2d018cac6c745d6bac0b2fe1101d7e72d46a6

C:\Windows\_temp_heu168yyds\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Windows\_temp_heu168yyds\files.7z

MD5 c7926c9b1dfe047575916f8016f36555
SHA1 88f149b25d40e4d124c45bef48a82d69fc5e7e34
SHA256 c02c302c2f9861b4120664ad32b74280a5f13dae54735ad858691837aa496888
SHA512 68e2efe32be775eff0c6c949ac5f3770be1ac9a5baabd85b73e6e0d987b4b593329d829a6cdd111379637adc81caf1cdc542d43c420c102405c239ee85cf9ec2

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

MD5 7a57270a21d95540d3c25680c050c1a8
SHA1 9519076a64e0de36284dd0a60a6844f9698fdd60
SHA256 e92c188877bc4070a799a335695eed232e75a01ed56a37dc4168fc286e4f1e6d
SHA512 74e2778db4fb340067c9bfc233617573a385e74482248b2aede29103c7782f23704f3a4c81fe8c10108d2e041cb1cbc7b70bb3c4b9e6cb059cc6c8fbb7b1820f

memory/2912-210-0x0000000005870000-0x0000000005B8D000-memory.dmp

memory/2184-211-0x000000013F410000-0x000000013F72D000-memory.dmp

C:\Windows\_temp_heu168yyds\pic\smart-1.bmp

MD5 168983e9f0e889082f8ed95371fe9ad5
SHA1 9b836a6b555b487175ee7f7e7813b783b42bb435
SHA256 961bfca28d74d0a07fcb4633131d8afa9589519be0543325dce12f9876161250
SHA512 c3a0bb5d3f852a30c6491924ba17830f22a847b8e9fdbd36333279c880a686761b0ccdaa9f58ee843fd2f08d8ba76d2b9d4f2874a3c32803ee3701ca31424bd3

C:\Windows\_temp_heu168yyds\pic\Color.png

MD5 ad1b105d2ab470e16895f4b7d0ee8fc7
SHA1 0bc5a34bc26ea95fabf9ef69d42afedeb3a628a9
SHA256 a7f54d8a7cba923b98c239bb35f9dd7857df6a10a74ca3290b2b6ab63d76a440
SHA512 fbb0659fc9b3106ee172842c2d41b3af145f1ee054209073a88daea9fe4cb41b206d52a9ffd89614eb177e19b1bf30f4041f778cfc0c6ea0992d8451f788ee22

C:\Windows\_temp_heu168yyds\pic\skin.png

MD5 4c37570c6058148a4f21f773b83ae835
SHA1 55830f9bbd65fccf7153115d3eb00e7bfcc388e9
SHA256 0751e6a9e67b49a32fcad384292aaae3cf9c85baa612c14e78a6977444cfc25c
SHA512 c7eb7494a1bc2dec1aa4bfdb7f558010f16abe4d47a1a0b9db0bf72615a0106ed6f13f2ecd1e4c1eab03ce5d5d49fa40a339f75602f90fa3b74ebaa03cde35d5

C:\Windows\_temp_heu168yyds\pic\Setting.png

MD5 f41c9477a1d7f379c7d2e8d2f89b2867
SHA1 e44012b9d9cdb3eb36840e2b701f048184e79a52
SHA256 d1b457e3839c0e2816b6476e67f3714debada36b065bc915f714da97916e6d98
SHA512 f130a8f765f3f79423a2019ce815295169e76b3b740a46a80d8ebdfa00e762259dd37faf479ada508091fcf4a5112ac4962f7c01529ccd8d7f4418f2dc5c4fcb

C:\Windows\_temp_heu168yyds\pic\Min.png

MD5 cc4dd823782ec16f6f8213129a1ea431
SHA1 84dce0b452585ae84f1b368681b31e380fd0a9eb
SHA256 1e510d24e9f110513ccd329e90242c2a897bb7902fcfb02d78b5480104455a4b
SHA512 7b73e8ee9d2c326a08f63637c0c5af8e1636e1e0896448a388f5236b8d5886528a838cc0293e3b4a84096395bc5923313f9c421285f8b3b9293e1657a6e1c221

C:\Windows\_temp_heu168yyds\pic\Close.png

MD5 aa69a5622d03dc816e0c21e9867ff487
SHA1 2b8268e2796d728a55f3d48caef467367cd47d56
SHA256 a5968242aa845300fd5d97c0727c3afccf0c94fb2654d4d185c0afc936e43c91
SHA512 747ab85849015ad02f2fb21992d80a4078531cef0757bd26bf21ff994c357b3e67b73b66c3241cfb84219fe39d2f5c21e947f5d4f7dc49b74c55b70c0dab76a8

C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

MD5 2a1856bede06c314d55de0c53b425d62
SHA1 509a31e5e2bf1e093d3d3d8081b9c74b7baf96fa
SHA256 b8d914f68a28cad57b3ab06cd32ef152f0f50820ab1777a8b9548016c77ef52f
SHA512 40431faaadcc07ee0b1a0737d500676e9515bf1a20ebb14b4b30cdbe15f392ddcac0646b1f3299efcb46b860bd990bfe514a6dab4d177d4d8f0d8cf2eaa9ce8a

C:\Windows\_temp_heu168yyds\pic\1-2.bmp

MD5 f0b50ceb08e0e47410ab0486cfe18e13
SHA1 bd1601d56040099e086555c782427a48a2da164f
SHA256 1ec1312347fee5a7cddda9d264b536f2a230de13acbd024a967ff9bd6d607a5b
SHA512 a4a2573bd5f25d47ac18b61023f5fe6e2dfe2cb7fe3f62de14c1bfebaa2a329076a7c57368b378810d37fe842f9a61ca99da8148a1c229a556ee7e871e6f3bbb

C:\Windows\_temp_heu168yyds\pic\8-2.bmp

MD5 94e7dd407071c974b91c8bcc032b7efc
SHA1 6a1523b7251c39f8a24bb04aceede797a14ad7e0
SHA256 0f871fb3645cfc8a0d4b50bf47167304498b5e0a504b05b7f6ee6a684bbec1ff
SHA512 9f205ec6d150256d0a1cd68be51e59e6d89bcfcf71c8fbd375e8f492634bbaa6bd68c365f252b98841c69cec30ca93a0957b067829c5599a5fb90d47c2530b1c

C:\Windows\_temp_heu168yyds\pic\8-1.bmp

MD5 c5b21a4b4880f0055e99f271f43850c8
SHA1 0328314e727c440cdcfb9662d4b55c039763edd9
SHA256 f4586ca895ab86150f0c0c6a5bc3a0a3e28c88771cdc1fce26857deeb6d265c9
SHA512 7dd3e70e4e4d2f2bc9a7edbf29a9510b6bb0ef450069da37a1d2c0e483614ed7a363d8b2d612219d1956b81f4393591b0daa55b838e31808e2768cda7c7b9c2f

C:\Windows\_temp_heu168yyds\pic\9-2.bmp

MD5 2adec0b854c1511e7aa2ba3fc4e5d0b1
SHA1 08e3c11325bd43e5ae2a19ac555392e6f5fbec24
SHA256 53a4c25396160d3cb27d86093acfc43c6f540d8279e4fbad1172c9e784e3b38f
SHA512 d5cd1903776786cd9d5da2d582b9122a3b310efd7a4ee7bd81406b234496067baf7a96aeaa17f9b2bed2d5964b6130e8a85459d508237804cb3a0bda0b59f76c

C:\Windows\_temp_heu168yyds\pic\19-1.bmp

MD5 99ee0843080ef4a170a9ed671c9e9490
SHA1 8b745f7b5280b1b5d4e9c1471c8d84f03f42aaf8
SHA256 17614e36cd05242a0eb00e3be671efe9aecc38ae7f747f6ea876bd4d5c7fa2bb
SHA512 3598cc18ed377859f6d9dbdda10722c3b3cbf3406d188949938cef6b2b1a80fc7968f5dcad99880d2f3282dafd291b1aea24d311c77653b8f13dc01c5e41463d

C:\Windows\_temp_heu168yyds\pic\12-2.bmp

MD5 8bb9fcbbae84be58619ac7e340b34f60
SHA1 5d3da5d0fa30caa4137ea0c70b9550c88da2e011
SHA256 80e1b7511127d4b36fc7f5a16fbbffeddbca2bdfc44c010d02b4657c94f3d20d
SHA512 da30e8836ef6bd315fcb6e2f911ea0bb7cdaaf2bab8dbbd5ec3ecb4dba23618b702b9b98975a79ebcfa70a458969f227886cdfd15ef866e9f2ed04c2c5374917

C:\Windows\_temp_heu168yyds\pic\12-1.bmp

MD5 41645b59d0cd2909a8d8105a7c99dc30
SHA1 1cc51c822380290125af8c8b75d5d212a8431598
SHA256 9d7c6237e459455d792589c0d2ee7d5f02d0a62e403978d974b4049503eda4d2
SHA512 9fa54cf9ecbde966744e138b4c06ed3b49f9d2d1045e5874829526201d7a14523564f3ee5b94e444481eccf046eab1c8ca80ec95b3b733f78ec4951e70166327

C:\Windows\_temp_heu168yyds\pic\9-1.bmp

MD5 50b18774ae74d388da9fae4e53d12b52
SHA1 4ae97e5d0524cdf96124231d6b41969e885c64bd
SHA256 d8e86d29c0abd96dc92fdbe4c0b7bf30367401e63ba0c1ee11a9d6f169fca8c5
SHA512 16a5d244bd3ba477ef446f9f0bf6cb0e3d71fbf7a5a292126138aa228dc1ab9e33b03d978226f98fb39729ebe73f552c7805353b5f4071e856fd6eb45f9e5d90

C:\Windows\_temp_heu168yyds\pic\21-2.bmp

MD5 27cac6425effcab20d8dc7d4e586994c
SHA1 5d693a26ccf51c2960d6e7655a267f1644dc2711
SHA256 ed1793a63a1a8629a941288cdd6a08b2f2ea5e08fae014ff96390fc04d9e8da2
SHA512 efed90384473e3073d78f455bffd2c099c3bbd61694070fb846d7a4f1314e899a2210a4d0ad80990b08cd0588009ac8cf2be771a60a446674fd60ae6285f71e4

C:\Windows\_temp_heu168yyds\pic\21-1.bmp

MD5 9addff95503bb3b77cec606a792b7743
SHA1 d7b091c161f3ab2a84fe5bcfb2d523491b6f34f2
SHA256 de3d69c9da80d614dcf1b88e70f0fd370a70baa92d025b878f38cc2c9cec5899
SHA512 63a5089986171a12d2bf19af11603d878ddf2b27132f434655ee08c7f6e3535cd8c9a143869c0d2af597b4eca0a02ab900c7baa33b34bfd9ace817112f893160

C:\Windows\_temp_heu168yyds\pic\17-2.bmp

MD5 97a2b98d6d4296b08deb1b6b27901a4f
SHA1 63ce9dbed54795acffd5eaa0c8b4f7381aa180da
SHA256 c267701bfc6b785772abee5ac8eb83fb2c13c09385a2a2c4a1cd451a67e9cb96
SHA512 35a6ced7ab8b7b244b71e80b7a41ba86b03e846547cc18faa66ac52e613ae13d214e72995bc85654e22e86f02d905f7d59dceb419dd8d079e3c1386686f340af

C:\Windows\_temp_heu168yyds\pic\TAB3.png

MD5 349a516c6192bd7086699c2138c64974
SHA1 2cd3c37232b417ddddf5520a8f4b813844eb5317
SHA256 1e4085568a73918ccd812cf063153d9ab57a410be269afa8c068b9e3af2167f1
SHA512 ae5922ca3081f7c32d5f7de89fb6c0ee90f64cf6a051fb1e3a8ae08d7a3226380934f07852b9eb153d99c886613ffe492558482d23d985eb9722a2f5e9105891

C:\Windows\_temp_heu168yyds\pic\logo.png

MD5 3a517f899a373ab9ce30275c64a7e9f2
SHA1 01734b61aeca0100a70895e1f0c9ba8688edb09d
SHA256 9682cada6711df8e3be30e46396c3f20d8641cd9e37ad7ffec52882ed1f749b2
SHA512 fa3aea3996f7f77123d4e65fdcd208093c6532b9aa610aa705436897608d4a994a4a1862867e8a59accd6cf05fba48bf3226a5e5686c1d7446c60e323ffd862a

C:\Windows\_temp_heu168yyds\pic\TAB5.png

MD5 eea2b9b038cf28617fa513ff9a567c9c
SHA1 265a8209bcaf9e085970f24da595839b3efc27f5
SHA256 a25b00803c986229355bafa9b6f89265e33629e571a589987c76bc3556377a85
SHA512 b9b45e340e29359e7726e83c1a976c73727dd4f8842d0594c2ed70519cc8a3c5f1deafb49a09c4e0b5d315e6a74582d670a7486ab3fb23506ddf3e09f6956503

C:\Windows\_temp_heu168yyds\pic\TAB4.png

MD5 abcffa915c0d2ab37a25701015af7db2
SHA1 00375c3460cb38e97f8c5a50b980095e952c3276
SHA256 50b3a682102c909638de843c96da643705b520dc6f4bfd025b6cae1b6dd94fb8
SHA512 9bb880e8773571b8160ea64b87ec77f4cd393dcedd2ac8943e0d28d3f9d2204f77208e938ce37ccd4db6c469406cdaf4f02afde0ab86af1df4d39723bdc8923f

C:\Windows\_temp_heu168yyds\pic\TAB2.png

MD5 03ad4bda93caa1fbfdf7f7708959805e
SHA1 3edd4b724f10bd0d030671673d28ba4c18cc2267
SHA256 3b6c31ebc247f6dae88356c297b44b49f741f6e2ace452097c961e9fb4db52fd
SHA512 9aa7a23338529b8c539bbf0ac3ba613c5ded41378ae1fb76fedf71ba203f5466820baf76be923b6603ed8fde8d5928945f7c468d988a403c55dc48d8053b4bed

C:\Windows\_temp_heu168yyds\pic\TAB1.png

MD5 6f37d8cbc242acdb504a9e05c93c7627
SHA1 98ef8c8485bd48b0cdf20ea96b9352b14abf7890
SHA256 b4d7f989ad093fad070548da06b5beeb7e9b8c465cc58221077e3cfc5aba861f
SHA512 2a26c0dcbf6a2083ded59da38fa511d23f82b9152e3329e211c5f8aff73522e00c8f77f3424e8097478970b718ef1b873d9dadaf3fafc2fc4051497dcc0aac93

C:\Windows\_temp_heu168yyds\pic\BACK6.jpg

MD5 f1d3421aa3bcc89dda15a421aba74562
SHA1 7ab470c97f2ec29aaf37dee8dc4b4a6c6b123c3b
SHA256 0f46e2389bd5c4f1871e3751a280d24b8434d3a56af29d5cc50a2260202684dc
SHA512 ad42b368c11f70da615482a7f8d7e2ad18489869f69a32b30fa7911a1a90fada5af962aad4770781a7ff38c20096975164046874129bccd8f6ee63a8d8d248fa

C:\Windows\_temp_heu168yyds\pic\17-1.bmp

MD5 04a1525dd639c4484c7626dfa814d155
SHA1 ddd779be16a7b61450595ea34f34ef9b630ae408
SHA256 de0640c44d43a43d2726e22ef87e80d9a571fa5b1682fd743f4be395526b6fa9
SHA512 17832b959d0d346252a6d56587cae2aa43d79e9de81ff2f39913fa31f6e6607eba029cef9df3bf921a48de32ce5a7d79da272dc969f02d27a2fdea899de9b669

C:\Windows\_temp_heu168yyds\pic\15-2.bmp

MD5 d92102d6a2440521043cf675e12cf69c
SHA1 d652bba4134dd9bc5d47422c29c7a4e9cbbc4cb3
SHA256 85fba5bea5738ae5171a5807263d99ebb392719cc93dc0e10c12174bb974fbdb
SHA512 0f77ea43d1f04133ac6b6f57edafa8c8d88bb257a231e32e4563e9ff53a389f08e0479a4c8dd912509849371463181df1b1cd0367ffba35af05d5edfc7d97728

C:\Windows\_temp_heu168yyds\pic\15-1.bmp

MD5 89cca5171e13d2502449433ce4b5d3fb
SHA1 0cca8a5c6578731760340cd017af3d4576c3301a
SHA256 fe17efd8e710e268b0b9c7374346e10c0e1f72927b3016c42a911d4c67e89439
SHA512 23a2d50ca72ec07d07d8b9e432d5228b84c4c94e29103d1cd8ec3856406541433e5b9efafe0c41d1e286d0372f3127b5ce709bef5a9efaa9c2f5fbb93bd39c79

C:\Windows\_temp_heu168yyds\pic\14-2.bmp

MD5 047f193f29ed38e689ac53bb6b879c46
SHA1 a8e62140702d55c2ba95385cd064fa96ae68888d
SHA256 fa993936d1682bbce788e759bd1b2635b987e535adab6002792d0c316df5863c
SHA512 1a5d614b22b51548ddb8c715c2a456fa3602928b5fe513d748f6c49846487e84593f062282def5ecd44889ece5e3321bc6077f7c07725c1121c9ed1f59b4ac2a

C:\Windows\_temp_heu168yyds\pic\14-1.bmp

MD5 ea41c4b5b5a96b68758c993a24a80c38
SHA1 084cf42c7dbea5435478835a7303063f3c11ee93
SHA256 f6e73c93ce3c964a9e8969eff64bb12bd20685350b6dd8b2ef3d86f803dcbcc9
SHA512 f84d813a9bdaa16229bec71995c4e3a4dec88ca3ba2c818b1284994fb28159832f3c5b7d09301794a7ba1888d8a060a8098e6ddff599133ceb1adc3d2a6c7b5a

C:\Windows\_temp_heu168yyds\pic\7-2.bmp

MD5 68a7611db6e902227980df598bab301a
SHA1 d3f09631f5e63c85d3e1a9d351bff108522771c5
SHA256 958adf0643d2d66175955a0c450f5775c3c3b23c735ebffd680ed0e58bb583ac
SHA512 e267d3303cb78999534f9520360bff84fb2a6cefd36c8a25e1cf0f80a36ccee14d3d12d48282a4772fb0467f3715dca9214bea4bf0fdddf961002bdd1f3f0a8c

C:\Windows\_temp_heu168yyds\pic\7-1.bmp

MD5 60c054f50977bac8a0a8818d6c18f971
SHA1 8e0a54833af8ef3691976e7e88ed4074b3890ee8
SHA256 14f8e2863fe89119fc146f2b826f66ac1eb84fe90c275d94b428fd259e136195
SHA512 c3a5aa0358893ad7f7520b201396a2bf50db7b63c5c81d6e0a5d3dc3b1060b1b217086b2cfdde25d531f5b71e8c04f583fd9fc8467ac525bacf2c7f93f3bafdb

C:\Windows\_temp_heu168yyds\pic\6-2.bmp

MD5 8d5af3015a65ef4b4169e536c44c5b8a
SHA1 b8f414b2e812d5ccc4e2e1f2ea8e9b9dd086cdf6
SHA256 174393290f92feacf88f183b1b098c20d8df7f522505b39d6a7d011fcf67c5b7
SHA512 37f18fef44d763b427464097fabef937672da342335a0d7014e8aeeb5301b9596f5203eaadd2c6264f89494c9b1aba97e77fe689ae3244a5111dc91606f00d57

C:\Windows\_temp_heu168yyds\pic\6-1.bmp

MD5 ae1495079c600e61a9d4c4ebb4386f7b
SHA1 e13db0c922636eb55ebfcd5ed5584b0ad70e64f5
SHA256 c359b6f7e6ddb6f4bd9d003ca5df4cf0b2a92d3329d95c023bead0f3b0f8234d
SHA512 aa702694c43546ba8157a44790222f2dbf85cb89858bbcfb66ed90369f88e5666fa7295c13e86fd76c386cbc830451fc7b3c0b9d13a8457decf679f59e92a7cf

C:\Windows\_temp_heu168yyds\pic\4-2.bmp

MD5 01b7718bc37818b703ccc6ba022741b1
SHA1 9fa8996f0b37d16428afe68cc0190ab80204f384
SHA256 b396ac8d18adf6288b05b603fe377ec062ef8cc1ae3dac765b17a9662456bf31
SHA512 78aa918327a0c3cec793a8ed22bdea449006f476c3e25d401d6439cbb59a71f2c11294bad83381e81b4d4343cbb7ac6e1f5f737f7c056c0b8e9f07d491ecb903

C:\Windows\_temp_heu168yyds\pic\4-1.bmp

MD5 72a3e5372444ce8ca9df741589b54ccf
SHA1 b2892bc0ca2dad39bf5e08b1cf4c46e9986a8914
SHA256 25755db2351f0b97f1d90de0b3e5967d73411eb7ae7e8404b3f2f262b1507d57
SHA512 2c734783a929d842de5541760496e92a0c990c40429b60f171c940633bfc820f72b0f7671b356f9cff7a31a0f217a990d12a330a00caaafdc35ae4f4e0a61fdf

C:\Windows\_temp_heu168yyds\pic\3-1.bmp

MD5 9de694a8a4e2f1b473352ebabab39b6f
SHA1 d157179758ced1e150279364932aa80dd34d9338
SHA256 98b285eb57bee3614cec6c1d0037420ac7c5c4e26b6fc20d59572ea9a11cf19a
SHA512 9df3054660351b0ad4e59ad506548a4034166f776cd55a4d3392b4b65d8db8dd19db13afab4eb7ae091fa5bc9b2f4082af1a405ffd6c6939b34990e668bdf89f

C:\Windows\_temp_heu168yyds\pic\3-3.bmp

MD5 b633d8ef5dc70459ba13d81d4b7e6355
SHA1 a405b201b569f24c06ee94d1c04b67ed12c8a882
SHA256 46193fd3f44fee45b44e5c047f68944ed443717ce7060675992cb21e4ba8f366
SHA512 deeb1c3d10f85ebeb77f125d48ec9aafc02794a24f1da58ff713273bd1204601c5a71a402a40ac87adcff10194206d49ac3cb4c5bffc02dd0b29e933e4d5760d

C:\Windows\_temp_heu168yyds\pic\3-2.bmp

MD5 2824f5ade3d18bb173b5a6e10b5933fb
SHA1 2e42fb1e7dcce77f71b47067d0b31b67f26f0e19
SHA256 9fc99137a049f69c40050c4d37d51f70e5c15872f6c2886172fb4bd071fc290b
SHA512 784c77f6673febf41ad14f790ad65edf0f6bf499c1313fc8f292c24d0070eed765dc98d188f23153e0b0ecdb6a058b41ca9445041db4c331a985b4bed8657d23

C:\Windows\_temp_heu168yyds\pic\2-1.bmp

MD5 1b58a8a32a0a5f923cd193e128d08824
SHA1 6c73c2c001d1b2005395019c467ee46028bc57cc
SHA256 2c6ded923d9853647026dc1e71a276a4ed5594cb4b92ac673da1a748eac6e347
SHA512 7f516002faed24feaa4bd26c612a4232fad18bf96ba140c490187236f58cb4aecb0cd171e59e75bf1f1b5d0d202d170f383d09ee6110659702e75e244c079154

C:\Windows\_temp_heu168yyds\pic\2-3.bmp

MD5 1b3be88fe13dbaa84837670409aef72d
SHA1 2835d1aa356fcb9d7c7d222c7b12d16be59fb9bc
SHA256 251dbb10854ceb2229d2bafd4afe0e953a392ba3b390aed65bdb83555d3a8563
SHA512 865155a147b12524d4df1cd375e867d384fc0a3d1d990726ecb5e2f254721d0dfcdcd229cb196ac5fb2650ea5c4bd332514b6ad37117f653e16fc3e1fab53867

C:\Windows\_temp_heu168yyds\pic\2-2.bmp

MD5 30117495ae9cdf829242602a4db4f25b
SHA1 3a0ae721f8d36686539a5aa3513b1232c63bd939
SHA256 0fa6814298169bb6ba98a43b95f8e586c9ca7b35ea0e0a2252d1145f4af54da7
SHA512 c0cc1e14a5149106b9f13aa6e61b2de321d1fddd4c22114c5089235b2ce3caeba7fcacc60a801f999dc6208fc210961e3e3b1d7f7a1a429481c0fa31c8e497e5

C:\Windows\_temp_heu168yyds\pic\5-2.bmp

MD5 187a5d7b4c9a88face97056111af08e8
SHA1 1ee313c22cd3cc8f690bae69afc64f69a20e4a9e
SHA256 ac57b5eaf87a5f7b4d01cc253bf45afa0d7a7982f1a17bf1fca304fe0fa64af1
SHA512 615e5c7124eefcb7593ba3fce0e450a557dfe428f5242196d664b4e2806bfce9a8a35ee84eb4180c4ab5328e4d4b3569b333b8c786be28c6478d07dd9bbb9bc0

C:\Windows\_temp_heu168yyds\pic\5-1.bmp

MD5 59d1447568858647deb7bce5384af2bb
SHA1 9cb45ae311eaecf705fc557e57270bc285bcc3a5
SHA256 50dec083680509b4a2b10266d8366d36e7d044ffa9278b573c5361bcf821b5dd
SHA512 417d76b05096790e80792e637de3223d717d55ffe06dc20eadcd9c74d169f2a088ad489d001a2cf5e937eab63546424a4557841938eaeea02230cb398ecb314b

C:\Windows\_temp_heu168yyds\pic\1-1.bmp

MD5 854fdb63b26f58d482a85f4a7d87eb75
SHA1 85c8c1571fb9af56dbf96a7e15cd0803122aeae5
SHA256 8d3b094b0984a03453f11d7d587226f4e29665e1b0e04b76f009a8e8268fe18c
SHA512 a246beb71ecd77306d88c8f07652bea65dd1fa23c75b8a70d8a7e6b3992190fc457dc20023373feac8dbcf70d80518bf0b273cd60bb9b6ee28308af4ec1c89d4

C:\Windows\_temp_heu168yyds\pic\smart.bmp

MD5 c6505158a7af9fa54e73b14998574b26
SHA1 0fad3534a4be16440656e9c6a6aa687990ab688f
SHA256 6a449a406bad7f221eabe550ee55449da30dee3d69282dea91f68cf82f4459b0
SHA512 f7c8829669d144c72ed5f223c8d4c92cc16d2d99442ea8aa8c568161399ede319bb34892fe9bc0e9ad3355d1cc1be9b79a3f797163fa1d926c2d14dfb6ab2fe7

C:\Windows\_temp_heu168yyds\pic\smart-2.bmp

MD5 c04ac04097c2ec30e2739e6447ad0a9d
SHA1 f7b52aef1a6e9a84a57ae35df9c1c54d0edfa45d
SHA256 3ff234828053a77d09ce0b9571882b3bab9912a0fdc62bb4b22df759983b9681
SHA512 f55658af0428f3c11952e29b9551528b321d93b32dbddfc6ba119dbf580baa087b738453c54d50b0b7cd14eff4ac08d2d74b0bdb1b731b4f4b610a38fd6a687d

memory/2912-259-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-260-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-261-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2912-262-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-263-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-265-0x0000000005870000-0x0000000005B8D000-memory.dmp

memory/2912-264-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-266-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-267-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-268-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-269-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-270-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-271-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-272-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-273-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-274-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-275-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-276-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-277-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-278-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-279-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-280-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-281-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-282-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-283-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-284-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-285-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-286-0x000000013F410000-0x000000013F72D000-memory.dmp

memory/2912-287-0x0000000000B30000-0x0000000001486000-memory.dmp

memory/2184-288-0x000000013F410000-0x000000013F72D000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-06 05:19

Reported

2024-05-06 05:22

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
N/A N/A C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\OtherOfficeOSPP C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0 C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\2-3.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\24-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\6-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK2.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\update.ico C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\OtherOfficeOSPP C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File created C:\Windows\_temp_heu168yyds\OtherOfficeOSPP\slerror.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\12-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\3-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK2.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Min.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\TAB5.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x86 C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\2-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\3-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\4-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\5-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\7-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\7Z.EXE C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File created C:\Windows\_temp_heu168yyds\pic\19-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK1.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK3.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\smart-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB2.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\1-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\14-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Close.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\ver.ico C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File created C:\Windows\_temp_heu168yyds\7Z.EXE C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\4-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Over.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\head.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\x64\cleanospp.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x64 C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\2-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\3-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\7-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\head.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\xml\wim.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x64\kms_x64.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP\SLERROR.XML C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\1-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\15-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\19-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\23-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\3-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\22-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\6-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\8-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK3.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\ewm_gzh.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB5.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\x86\cleanospp.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\22-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\message.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Renewal-Close2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\smart.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\winmgmts:\root\CIMV2 C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: 35 N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.1.0\HEU_KMS_Activator_41.1.0.exe"

C:\Windows\_temp_heu168yyds\7Z.EXE

"C:\Windows\_temp_heu168yyds\7Z.EXE" x "C:\Windows\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Windows\_temp_heu168yyds"

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/3368-0-0x00000000006A0000-0x0000000000FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut5D25.tmp

MD5 51253533f4cd37185e28d5e6fdfba9cd
SHA1 8f1a2fd07128186f8234d6fbeb8cd23f1b59cef8
SHA256 9214c18fd93adfb220d15d6f7fb12a0bc8cd5b40546575a6354f7cf92a12a1b6
SHA512 cc9c9867618ca8ae5aa78ca8781af60adbece13ce3aa4fe7bd7181618854e2a0206e3b94233c2766963a7e01aae2d018cac6c745d6bac0b2fe1101d7e72d46a6

C:\Windows\_temp_heu168yyds\files.7z

MD5 c7926c9b1dfe047575916f8016f36555
SHA1 88f149b25d40e4d124c45bef48a82d69fc5e7e34
SHA256 c02c302c2f9861b4120664ad32b74280a5f13dae54735ad858691837aa496888
SHA512 68e2efe32be775eff0c6c949ac5f3770be1ac9a5baabd85b73e6e0d987b4b593329d829a6cdd111379637adc81caf1cdc542d43c420c102405c239ee85cf9ec2

C:\Windows\_temp_heu168yyds\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

MD5 7a57270a21d95540d3c25680c050c1a8
SHA1 9519076a64e0de36284dd0a60a6844f9698fdd60
SHA256 e92c188877bc4070a799a335695eed232e75a01ed56a37dc4168fc286e4f1e6d
SHA512 74e2778db4fb340067c9bfc233617573a385e74482248b2aede29103c7782f23704f3a4c81fe8c10108d2e041cb1cbc7b70bb3c4b9e6cb059cc6c8fbb7b1820f

memory/3424-208-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

MD5 2a1856bede06c314d55de0c53b425d62
SHA1 509a31e5e2bf1e093d3d3d8081b9c74b7baf96fa
SHA256 b8d914f68a28cad57b3ab06cd32ef152f0f50820ab1777a8b9548016c77ef52f
SHA512 40431faaadcc07ee0b1a0737d500676e9515bf1a20ebb14b4b30cdbe15f392ddcac0646b1f3299efcb46b860bd990bfe514a6dab4d177d4d8f0d8cf2eaa9ce8a

C:\Windows\_temp_heu168yyds\pic\Close.png

MD5 aa69a5622d03dc816e0c21e9867ff487
SHA1 2b8268e2796d728a55f3d48caef467367cd47d56
SHA256 a5968242aa845300fd5d97c0727c3afccf0c94fb2654d4d185c0afc936e43c91
SHA512 747ab85849015ad02f2fb21992d80a4078531cef0757bd26bf21ff994c357b3e67b73b66c3241cfb84219fe39d2f5c21e947f5d4f7dc49b74c55b70c0dab76a8

C:\Windows\_temp_heu168yyds\pic\Min.png

MD5 cc4dd823782ec16f6f8213129a1ea431
SHA1 84dce0b452585ae84f1b368681b31e380fd0a9eb
SHA256 1e510d24e9f110513ccd329e90242c2a897bb7902fcfb02d78b5480104455a4b
SHA512 7b73e8ee9d2c326a08f63637c0c5af8e1636e1e0896448a388f5236b8d5886528a838cc0293e3b4a84096395bc5923313f9c421285f8b3b9293e1657a6e1c221

C:\Windows\_temp_heu168yyds\pic\Color.png

MD5 ad1b105d2ab470e16895f4b7d0ee8fc7
SHA1 0bc5a34bc26ea95fabf9ef69d42afedeb3a628a9
SHA256 a7f54d8a7cba923b98c239bb35f9dd7857df6a10a74ca3290b2b6ab63d76a440
SHA512 fbb0659fc9b3106ee172842c2d41b3af145f1ee054209073a88daea9fe4cb41b206d52a9ffd89614eb177e19b1bf30f4041f778cfc0c6ea0992d8451f788ee22

C:\Windows\_temp_heu168yyds\pic\skin.png

MD5 4c37570c6058148a4f21f773b83ae835
SHA1 55830f9bbd65fccf7153115d3eb00e7bfcc388e9
SHA256 0751e6a9e67b49a32fcad384292aaae3cf9c85baa612c14e78a6977444cfc25c
SHA512 c7eb7494a1bc2dec1aa4bfdb7f558010f16abe4d47a1a0b9db0bf72615a0106ed6f13f2ecd1e4c1eab03ce5d5d49fa40a339f75602f90fa3b74ebaa03cde35d5

C:\Windows\_temp_heu168yyds\pic\Setting.png

MD5 f41c9477a1d7f379c7d2e8d2f89b2867
SHA1 e44012b9d9cdb3eb36840e2b701f048184e79a52
SHA256 d1b457e3839c0e2816b6476e67f3714debada36b065bc915f714da97916e6d98
SHA512 f130a8f765f3f79423a2019ce815295169e76b3b740a46a80d8ebdfa00e762259dd37faf479ada508091fcf4a5112ac4962f7c01529ccd8d7f4418f2dc5c4fcb

C:\Windows\_temp_heu168yyds\pic\smart-1.bmp

MD5 168983e9f0e889082f8ed95371fe9ad5
SHA1 9b836a6b555b487175ee7f7e7813b783b42bb435
SHA256 961bfca28d74d0a07fcb4633131d8afa9589519be0543325dce12f9876161250
SHA512 c3a0bb5d3f852a30c6491924ba17830f22a847b8e9fdbd36333279c880a686761b0ccdaa9f58ee843fd2f08d8ba76d2b9d4f2874a3c32803ee3701ca31424bd3

C:\Windows\_temp_heu168yyds\pic\smart-2.bmp

MD5 c04ac04097c2ec30e2739e6447ad0a9d
SHA1 f7b52aef1a6e9a84a57ae35df9c1c54d0edfa45d
SHA256 3ff234828053a77d09ce0b9571882b3bab9912a0fdc62bb4b22df759983b9681
SHA512 f55658af0428f3c11952e29b9551528b321d93b32dbddfc6ba119dbf580baa087b738453c54d50b0b7cd14eff4ac08d2d74b0bdb1b731b4f4b610a38fd6a687d

C:\Windows\_temp_heu168yyds\pic\smart.bmp

MD5 c6505158a7af9fa54e73b14998574b26
SHA1 0fad3534a4be16440656e9c6a6aa687990ab688f
SHA256 6a449a406bad7f221eabe550ee55449da30dee3d69282dea91f68cf82f4459b0
SHA512 f7c8829669d144c72ed5f223c8d4c92cc16d2d99442ea8aa8c568161399ede319bb34892fe9bc0e9ad3355d1cc1be9b79a3f797163fa1d926c2d14dfb6ab2fe7

C:\Windows\_temp_heu168yyds\pic\1-1.bmp

MD5 854fdb63b26f58d482a85f4a7d87eb75
SHA1 85c8c1571fb9af56dbf96a7e15cd0803122aeae5
SHA256 8d3b094b0984a03453f11d7d587226f4e29665e1b0e04b76f009a8e8268fe18c
SHA512 a246beb71ecd77306d88c8f07652bea65dd1fa23c75b8a70d8a7e6b3992190fc457dc20023373feac8dbcf70d80518bf0b273cd60bb9b6ee28308af4ec1c89d4

C:\Windows\_temp_heu168yyds\pic\1-2.bmp

MD5 f0b50ceb08e0e47410ab0486cfe18e13
SHA1 bd1601d56040099e086555c782427a48a2da164f
SHA256 1ec1312347fee5a7cddda9d264b536f2a230de13acbd024a967ff9bd6d607a5b
SHA512 a4a2573bd5f25d47ac18b61023f5fe6e2dfe2cb7fe3f62de14c1bfebaa2a329076a7c57368b378810d37fe842f9a61ca99da8148a1c229a556ee7e871e6f3bbb

C:\Windows\_temp_heu168yyds\pic\5-1.bmp

MD5 59d1447568858647deb7bce5384af2bb
SHA1 9cb45ae311eaecf705fc557e57270bc285bcc3a5
SHA256 50dec083680509b4a2b10266d8366d36e7d044ffa9278b573c5361bcf821b5dd
SHA512 417d76b05096790e80792e637de3223d717d55ffe06dc20eadcd9c74d169f2a088ad489d001a2cf5e937eab63546424a4557841938eaeea02230cb398ecb314b

C:\Windows\_temp_heu168yyds\pic\5-2.bmp

MD5 187a5d7b4c9a88face97056111af08e8
SHA1 1ee313c22cd3cc8f690bae69afc64f69a20e4a9e
SHA256 ac57b5eaf87a5f7b4d01cc253bf45afa0d7a7982f1a17bf1fca304fe0fa64af1
SHA512 615e5c7124eefcb7593ba3fce0e450a557dfe428f5242196d664b4e2806bfce9a8a35ee84eb4180c4ab5328e4d4b3569b333b8c786be28c6478d07dd9bbb9bc0

C:\Windows\_temp_heu168yyds\pic\2-2.bmp

MD5 30117495ae9cdf829242602a4db4f25b
SHA1 3a0ae721f8d36686539a5aa3513b1232c63bd939
SHA256 0fa6814298169bb6ba98a43b95f8e586c9ca7b35ea0e0a2252d1145f4af54da7
SHA512 c0cc1e14a5149106b9f13aa6e61b2de321d1fddd4c22114c5089235b2ce3caeba7fcacc60a801f999dc6208fc210961e3e3b1d7f7a1a429481c0fa31c8e497e5

C:\Windows\_temp_heu168yyds\pic\2-3.bmp

MD5 1b3be88fe13dbaa84837670409aef72d
SHA1 2835d1aa356fcb9d7c7d222c7b12d16be59fb9bc
SHA256 251dbb10854ceb2229d2bafd4afe0e953a392ba3b390aed65bdb83555d3a8563
SHA512 865155a147b12524d4df1cd375e867d384fc0a3d1d990726ecb5e2f254721d0dfcdcd229cb196ac5fb2650ea5c4bd332514b6ad37117f653e16fc3e1fab53867

C:\Windows\_temp_heu168yyds\pic\2-1.bmp

MD5 1b58a8a32a0a5f923cd193e128d08824
SHA1 6c73c2c001d1b2005395019c467ee46028bc57cc
SHA256 2c6ded923d9853647026dc1e71a276a4ed5594cb4b92ac673da1a748eac6e347
SHA512 7f516002faed24feaa4bd26c612a4232fad18bf96ba140c490187236f58cb4aecb0cd171e59e75bf1f1b5d0d202d170f383d09ee6110659702e75e244c079154

C:\Windows\_temp_heu168yyds\pic\3-2.bmp

MD5 2824f5ade3d18bb173b5a6e10b5933fb
SHA1 2e42fb1e7dcce77f71b47067d0b31b67f26f0e19
SHA256 9fc99137a049f69c40050c4d37d51f70e5c15872f6c2886172fb4bd071fc290b
SHA512 784c77f6673febf41ad14f790ad65edf0f6bf499c1313fc8f292c24d0070eed765dc98d188f23153e0b0ecdb6a058b41ca9445041db4c331a985b4bed8657d23

C:\Windows\_temp_heu168yyds\pic\3-3.bmp

MD5 b633d8ef5dc70459ba13d81d4b7e6355
SHA1 a405b201b569f24c06ee94d1c04b67ed12c8a882
SHA256 46193fd3f44fee45b44e5c047f68944ed443717ce7060675992cb21e4ba8f366
SHA512 deeb1c3d10f85ebeb77f125d48ec9aafc02794a24f1da58ff713273bd1204601c5a71a402a40ac87adcff10194206d49ac3cb4c5bffc02dd0b29e933e4d5760d

C:\Windows\_temp_heu168yyds\pic\3-1.bmp

MD5 9de694a8a4e2f1b473352ebabab39b6f
SHA1 d157179758ced1e150279364932aa80dd34d9338
SHA256 98b285eb57bee3614cec6c1d0037420ac7c5c4e26b6fc20d59572ea9a11cf19a
SHA512 9df3054660351b0ad4e59ad506548a4034166f776cd55a4d3392b4b65d8db8dd19db13afab4eb7ae091fa5bc9b2f4082af1a405ffd6c6939b34990e668bdf89f

C:\Windows\_temp_heu168yyds\pic\4-1.bmp

MD5 72a3e5372444ce8ca9df741589b54ccf
SHA1 b2892bc0ca2dad39bf5e08b1cf4c46e9986a8914
SHA256 25755db2351f0b97f1d90de0b3e5967d73411eb7ae7e8404b3f2f262b1507d57
SHA512 2c734783a929d842de5541760496e92a0c990c40429b60f171c940633bfc820f72b0f7671b356f9cff7a31a0f217a990d12a330a00caaafdc35ae4f4e0a61fdf

C:\Windows\_temp_heu168yyds\pic\4-2.bmp

MD5 01b7718bc37818b703ccc6ba022741b1
SHA1 9fa8996f0b37d16428afe68cc0190ab80204f384
SHA256 b396ac8d18adf6288b05b603fe377ec062ef8cc1ae3dac765b17a9662456bf31
SHA512 78aa918327a0c3cec793a8ed22bdea449006f476c3e25d401d6439cbb59a71f2c11294bad83381e81b4d4343cbb7ac6e1f5f737f7c056c0b8e9f07d491ecb903

C:\Windows\_temp_heu168yyds\pic\6-1.bmp

MD5 ae1495079c600e61a9d4c4ebb4386f7b
SHA1 e13db0c922636eb55ebfcd5ed5584b0ad70e64f5
SHA256 c359b6f7e6ddb6f4bd9d003ca5df4cf0b2a92d3329d95c023bead0f3b0f8234d
SHA512 aa702694c43546ba8157a44790222f2dbf85cb89858bbcfb66ed90369f88e5666fa7295c13e86fd76c386cbc830451fc7b3c0b9d13a8457decf679f59e92a7cf

C:\Windows\_temp_heu168yyds\pic\6-2.bmp

MD5 8d5af3015a65ef4b4169e536c44c5b8a
SHA1 b8f414b2e812d5ccc4e2e1f2ea8e9b9dd086cdf6
SHA256 174393290f92feacf88f183b1b098c20d8df7f522505b39d6a7d011fcf67c5b7
SHA512 37f18fef44d763b427464097fabef937672da342335a0d7014e8aeeb5301b9596f5203eaadd2c6264f89494c9b1aba97e77fe689ae3244a5111dc91606f00d57

C:\Windows\_temp_heu168yyds\pic\7-1.bmp

MD5 60c054f50977bac8a0a8818d6c18f971
SHA1 8e0a54833af8ef3691976e7e88ed4074b3890ee8
SHA256 14f8e2863fe89119fc146f2b826f66ac1eb84fe90c275d94b428fd259e136195
SHA512 c3a5aa0358893ad7f7520b201396a2bf50db7b63c5c81d6e0a5d3dc3b1060b1b217086b2cfdde25d531f5b71e8c04f583fd9fc8467ac525bacf2c7f93f3bafdb

C:\Windows\_temp_heu168yyds\pic\7-2.bmp

MD5 68a7611db6e902227980df598bab301a
SHA1 d3f09631f5e63c85d3e1a9d351bff108522771c5
SHA256 958adf0643d2d66175955a0c450f5775c3c3b23c735ebffd680ed0e58bb583ac
SHA512 e267d3303cb78999534f9520360bff84fb2a6cefd36c8a25e1cf0f80a36ccee14d3d12d48282a4772fb0467f3715dca9214bea4bf0fdddf961002bdd1f3f0a8c

C:\Windows\_temp_heu168yyds\pic\8-1.bmp

MD5 c5b21a4b4880f0055e99f271f43850c8
SHA1 0328314e727c440cdcfb9662d4b55c039763edd9
SHA256 f4586ca895ab86150f0c0c6a5bc3a0a3e28c88771cdc1fce26857deeb6d265c9
SHA512 7dd3e70e4e4d2f2bc9a7edbf29a9510b6bb0ef450069da37a1d2c0e483614ed7a363d8b2d612219d1956b81f4393591b0daa55b838e31808e2768cda7c7b9c2f

C:\Windows\_temp_heu168yyds\pic\8-2.bmp

MD5 94e7dd407071c974b91c8bcc032b7efc
SHA1 6a1523b7251c39f8a24bb04aceede797a14ad7e0
SHA256 0f871fb3645cfc8a0d4b50bf47167304498b5e0a504b05b7f6ee6a684bbec1ff
SHA512 9f205ec6d150256d0a1cd68be51e59e6d89bcfcf71c8fbd375e8f492634bbaa6bd68c365f252b98841c69cec30ca93a0957b067829c5599a5fb90d47c2530b1c

C:\Windows\_temp_heu168yyds\pic\9-1.bmp

MD5 50b18774ae74d388da9fae4e53d12b52
SHA1 4ae97e5d0524cdf96124231d6b41969e885c64bd
SHA256 d8e86d29c0abd96dc92fdbe4c0b7bf30367401e63ba0c1ee11a9d6f169fca8c5
SHA512 16a5d244bd3ba477ef446f9f0bf6cb0e3d71fbf7a5a292126138aa228dc1ab9e33b03d978226f98fb39729ebe73f552c7805353b5f4071e856fd6eb45f9e5d90

C:\Windows\_temp_heu168yyds\pic\9-2.bmp

MD5 2adec0b854c1511e7aa2ba3fc4e5d0b1
SHA1 08e3c11325bd43e5ae2a19ac555392e6f5fbec24
SHA256 53a4c25396160d3cb27d86093acfc43c6f540d8279e4fbad1172c9e784e3b38f
SHA512 d5cd1903776786cd9d5da2d582b9122a3b310efd7a4ee7bd81406b234496067baf7a96aeaa17f9b2bed2d5964b6130e8a85459d508237804cb3a0bda0b59f76c

C:\Windows\_temp_heu168yyds\pic\12-1.bmp

MD5 41645b59d0cd2909a8d8105a7c99dc30
SHA1 1cc51c822380290125af8c8b75d5d212a8431598
SHA256 9d7c6237e459455d792589c0d2ee7d5f02d0a62e403978d974b4049503eda4d2
SHA512 9fa54cf9ecbde966744e138b4c06ed3b49f9d2d1045e5874829526201d7a14523564f3ee5b94e444481eccf046eab1c8ca80ec95b3b733f78ec4951e70166327

C:\Windows\_temp_heu168yyds\pic\12-2.bmp

MD5 8bb9fcbbae84be58619ac7e340b34f60
SHA1 5d3da5d0fa30caa4137ea0c70b9550c88da2e011
SHA256 80e1b7511127d4b36fc7f5a16fbbffeddbca2bdfc44c010d02b4657c94f3d20d
SHA512 da30e8836ef6bd315fcb6e2f911ea0bb7cdaaf2bab8dbbd5ec3ecb4dba23618b702b9b98975a79ebcfa70a458969f227886cdfd15ef866e9f2ed04c2c5374917

C:\Windows\_temp_heu168yyds\pic\19-1.bmp

MD5 99ee0843080ef4a170a9ed671c9e9490
SHA1 8b745f7b5280b1b5d4e9c1471c8d84f03f42aaf8
SHA256 17614e36cd05242a0eb00e3be671efe9aecc38ae7f747f6ea876bd4d5c7fa2bb
SHA512 3598cc18ed377859f6d9dbdda10722c3b3cbf3406d188949938cef6b2b1a80fc7968f5dcad99880d2f3282dafd291b1aea24d311c77653b8f13dc01c5e41463d

C:\Windows\_temp_heu168yyds\pic\14-2.bmp

MD5 047f193f29ed38e689ac53bb6b879c46
SHA1 a8e62140702d55c2ba95385cd064fa96ae68888d
SHA256 fa993936d1682bbce788e759bd1b2635b987e535adab6002792d0c316df5863c
SHA512 1a5d614b22b51548ddb8c715c2a456fa3602928b5fe513d748f6c49846487e84593f062282def5ecd44889ece5e3321bc6077f7c07725c1121c9ed1f59b4ac2a

C:\Windows\_temp_heu168yyds\pic\14-1.bmp

MD5 ea41c4b5b5a96b68758c993a24a80c38
SHA1 084cf42c7dbea5435478835a7303063f3c11ee93
SHA256 f6e73c93ce3c964a9e8969eff64bb12bd20685350b6dd8b2ef3d86f803dcbcc9
SHA512 f84d813a9bdaa16229bec71995c4e3a4dec88ca3ba2c818b1284994fb28159832f3c5b7d09301794a7ba1888d8a060a8098e6ddff599133ceb1adc3d2a6c7b5a

C:\Windows\_temp_heu168yyds\pic\15-1.bmp

MD5 89cca5171e13d2502449433ce4b5d3fb
SHA1 0cca8a5c6578731760340cd017af3d4576c3301a
SHA256 fe17efd8e710e268b0b9c7374346e10c0e1f72927b3016c42a911d4c67e89439
SHA512 23a2d50ca72ec07d07d8b9e432d5228b84c4c94e29103d1cd8ec3856406541433e5b9efafe0c41d1e286d0372f3127b5ce709bef5a9efaa9c2f5fbb93bd39c79

C:\Windows\_temp_heu168yyds\pic\15-2.bmp

MD5 d92102d6a2440521043cf675e12cf69c
SHA1 d652bba4134dd9bc5d47422c29c7a4e9cbbc4cb3
SHA256 85fba5bea5738ae5171a5807263d99ebb392719cc93dc0e10c12174bb974fbdb
SHA512 0f77ea43d1f04133ac6b6f57edafa8c8d88bb257a231e32e4563e9ff53a389f08e0479a4c8dd912509849371463181df1b1cd0367ffba35af05d5edfc7d97728

C:\Windows\_temp_heu168yyds\pic\17-1.bmp

MD5 04a1525dd639c4484c7626dfa814d155
SHA1 ddd779be16a7b61450595ea34f34ef9b630ae408
SHA256 de0640c44d43a43d2726e22ef87e80d9a571fa5b1682fd743f4be395526b6fa9
SHA512 17832b959d0d346252a6d56587cae2aa43d79e9de81ff2f39913fa31f6e6607eba029cef9df3bf921a48de32ce5a7d79da272dc969f02d27a2fdea899de9b669

C:\Windows\_temp_heu168yyds\pic\17-2.bmp

MD5 97a2b98d6d4296b08deb1b6b27901a4f
SHA1 63ce9dbed54795acffd5eaa0c8b4f7381aa180da
SHA256 c267701bfc6b785772abee5ac8eb83fb2c13c09385a2a2c4a1cd451a67e9cb96
SHA512 35a6ced7ab8b7b244b71e80b7a41ba86b03e846547cc18faa66ac52e613ae13d214e72995bc85654e22e86f02d905f7d59dceb419dd8d079e3c1386686f340af

C:\Windows\_temp_heu168yyds\pic\21-1.bmp

MD5 9addff95503bb3b77cec606a792b7743
SHA1 d7b091c161f3ab2a84fe5bcfb2d523491b6f34f2
SHA256 de3d69c9da80d614dcf1b88e70f0fd370a70baa92d025b878f38cc2c9cec5899
SHA512 63a5089986171a12d2bf19af11603d878ddf2b27132f434655ee08c7f6e3535cd8c9a143869c0d2af597b4eca0a02ab900c7baa33b34bfd9ace817112f893160

C:\Windows\_temp_heu168yyds\pic\21-2.bmp

MD5 27cac6425effcab20d8dc7d4e586994c
SHA1 5d693a26ccf51c2960d6e7655a267f1644dc2711
SHA256 ed1793a63a1a8629a941288cdd6a08b2f2ea5e08fae014ff96390fc04d9e8da2
SHA512 efed90384473e3073d78f455bffd2c099c3bbd61694070fb846d7a4f1314e899a2210a4d0ad80990b08cd0588009ac8cf2be771a60a446674fd60ae6285f71e4

C:\Windows\_temp_heu168yyds\pic\BACK6.jpg

MD5 f1d3421aa3bcc89dda15a421aba74562
SHA1 7ab470c97f2ec29aaf37dee8dc4b4a6c6b123c3b
SHA256 0f46e2389bd5c4f1871e3751a280d24b8434d3a56af29d5cc50a2260202684dc
SHA512 ad42b368c11f70da615482a7f8d7e2ad18489869f69a32b30fa7911a1a90fada5af962aad4770781a7ff38c20096975164046874129bccd8f6ee63a8d8d248fa

C:\Windows\_temp_heu168yyds\pic\TAB1.png

MD5 6f37d8cbc242acdb504a9e05c93c7627
SHA1 98ef8c8485bd48b0cdf20ea96b9352b14abf7890
SHA256 b4d7f989ad093fad070548da06b5beeb7e9b8c465cc58221077e3cfc5aba861f
SHA512 2a26c0dcbf6a2083ded59da38fa511d23f82b9152e3329e211c5f8aff73522e00c8f77f3424e8097478970b718ef1b873d9dadaf3fafc2fc4051497dcc0aac93

C:\Windows\_temp_heu168yyds\pic\logo.png

MD5 3a517f899a373ab9ce30275c64a7e9f2
SHA1 01734b61aeca0100a70895e1f0c9ba8688edb09d
SHA256 9682cada6711df8e3be30e46396c3f20d8641cd9e37ad7ffec52882ed1f749b2
SHA512 fa3aea3996f7f77123d4e65fdcd208093c6532b9aa610aa705436897608d4a994a4a1862867e8a59accd6cf05fba48bf3226a5e5686c1d7446c60e323ffd862a

C:\Windows\_temp_heu168yyds\pic\TAB5.png

MD5 eea2b9b038cf28617fa513ff9a567c9c
SHA1 265a8209bcaf9e085970f24da595839b3efc27f5
SHA256 a25b00803c986229355bafa9b6f89265e33629e571a589987c76bc3556377a85
SHA512 b9b45e340e29359e7726e83c1a976c73727dd4f8842d0594c2ed70519cc8a3c5f1deafb49a09c4e0b5d315e6a74582d670a7486ab3fb23506ddf3e09f6956503

C:\Windows\_temp_heu168yyds\pic\TAB4.png

MD5 abcffa915c0d2ab37a25701015af7db2
SHA1 00375c3460cb38e97f8c5a50b980095e952c3276
SHA256 50b3a682102c909638de843c96da643705b520dc6f4bfd025b6cae1b6dd94fb8
SHA512 9bb880e8773571b8160ea64b87ec77f4cd393dcedd2ac8943e0d28d3f9d2204f77208e938ce37ccd4db6c469406cdaf4f02afde0ab86af1df4d39723bdc8923f

C:\Windows\_temp_heu168yyds\pic\TAB3.png

MD5 349a516c6192bd7086699c2138c64974
SHA1 2cd3c37232b417ddddf5520a8f4b813844eb5317
SHA256 1e4085568a73918ccd812cf063153d9ab57a410be269afa8c068b9e3af2167f1
SHA512 ae5922ca3081f7c32d5f7de89fb6c0ee90f64cf6a051fb1e3a8ae08d7a3226380934f07852b9eb153d99c886613ffe492558482d23d985eb9722a2f5e9105891

C:\Windows\_temp_heu168yyds\pic\TAB2.png

MD5 03ad4bda93caa1fbfdf7f7708959805e
SHA1 3edd4b724f10bd0d030671673d28ba4c18cc2267
SHA256 3b6c31ebc247f6dae88356c297b44b49f741f6e2ace452097c961e9fb4db52fd
SHA512 9aa7a23338529b8c539bbf0ac3ba613c5ded41378ae1fb76fedf71ba203f5466820baf76be923b6603ed8fde8d5928945f7c468d988a403c55dc48d8053b4bed

memory/3368-257-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-258-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-259-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3368-260-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-261-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-262-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-263-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-264-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-265-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-266-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-268-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-267-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-269-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-270-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-271-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-272-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-273-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-274-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-275-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-276-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-277-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-278-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-279-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-280-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-281-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-282-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-283-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp

memory/3368-284-0x00000000006A0000-0x0000000000FF6000-memory.dmp

memory/3424-285-0x00007FF7AD060000-0x00007FF7AD37D000-memory.dmp