gh0strat | c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
Size

8.9MB
MD5

5d927dd18e44f86e3630f81058cd47e4
SHA1

6c326cfa6f65ce02489686439f5efbe945ea61bc
SHA256

c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a
SHA512

2924aeec0787d444934ac7f8da3a74425b75f968797b378b7f8c4e758e21596899ac761a744ba249c69ac6b030ce3743bf500c1cb2b386929d8b48a8b0087343
SSDEEP

196608:9y2LkBESjrEjpEVlN2eEaBVTyTat2Iyyrqyu7pBaRP8:OZVlN2ePBVltvysqp9

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1424-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1424-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1424-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1252-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3784-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3784-31-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1252-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3784-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1252-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1252-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1424-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1424-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1424-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1252-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3784-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3784-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1252-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3784-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1252-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1252-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Windows\_tempheukms05241136488756\ProduKey.exe	Nirsoft

Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 6 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe7Z.EXEkms_x64.exe

pid	process
1424	RVN.exe
1252	TXPlatforn.exe
3784	TXPlatforn.exe
1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
1256	7Z.EXE
3852	kms_x64.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1424-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1424-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1424-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1424-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1252-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1252-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3784-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3784-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1252-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3784-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1252-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1252-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	autoit_exe
C:\Windows\_tempheukms05241136488756\kms.exe	autoit_exe
C:\Windows\_tempheukms05241136488756\kms_x64.exe	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Windows directory 64 IoCs

Processes:

7Z.EXEcmd.exeHD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

description	ioc	process
File created	C:\Windows\_tempheukms05241136488756\OEM\cert\NAVIHB.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\10-3.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\Down.png	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic0\uninst-en.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\OEMDumpNET35.exe	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\ScriptDir.ini	cmd.exe
File opened for modification	C:\Windows\_tempheukms05241136488756\SetupComplete.data	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\2-3.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\9-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\x86\SppExtComObjHook.dll	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\EXC.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\cert\HCLINF.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\DATATE.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\digital.7z	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\MSGlogo.jpg	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\13-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\10-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\11-2.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\2-3.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\4-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\HIGRAD.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\CZC011.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\TOSHIB.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\YUTC.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic0\inst-en.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic0\inst.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\cert.7z	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\HPQOEM.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\Over.png	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic0\inst-tra.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OtherOfficeOSPP	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\x64\SetACL.exe	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\digital.7z	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
File created	C:\Windows\_tempheukms05241136488756\OEM\gr1dr34	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\10-2.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\2-2.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic0\head.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\cert\OEGROU.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\4-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic0\backup-en.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\21-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\Office2010OSPP\SLERROR.XML	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\JOOYON.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\cert\TOSCPL.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\FUJ.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\cert\TOSHIB.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\ONKYO.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\BACK3.jpg	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\LOGIN2.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\BACK3.jpg	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic0\shuoming.jpg	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\x64\SppExtComObjHookARM64.dll	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\16-2.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\gr1dr1	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\9-2.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic0\inst.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\kms_x64.exe	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\cert\FOUNDR.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\OEM\cert\DSGLTD.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\10-3.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\pic\20-2.bmp	7Z.EXE
File created	C:\Windows\_tempheukms05241136488756\pic\5-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms05241136488756\OEM\cert\CREAAS.xrm-ms	7Z.EXE

NTFS ADS 1 IoCs

Processes:

kms_x64.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts: kms_x64.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1460 PING.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:	kms_x64.exe

pid	process
1460	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exeHD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exekms_x64.exe

pid	process
3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
3852	kms_x64.exe
3852	kms_x64.exe
3852	kms_x64.exe
3852	kms_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kms_x64.exe

pid process

3852 kms_x64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

3784 TXPlatforn.exe

pid	process
3852	kms_x64.exe

pid	process
3784	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

RVN.exeTXPlatforn.exe7Z.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1424	RVN.exe
Token: SeLoadDriverPrivilege	3784	TXPlatforn.exe
Token: SeRestorePrivilege	1256	7Z.EXE
Token: 35	1256	7Z.EXE
Token: SeSecurityPrivilege	1256	7Z.EXE
Token: SeSecurityPrivilege	1256	7Z.EXE
Token: 33	3784	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3784	TXPlatforn.exe
Token: 33	3784	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3784	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

pid process

3432 c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exeTXPlatforn.exeRVN.exeHD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.execmd.exekms_x64.exe

description	pid	process	target process
PID 3432 wrote to memory of 1424	3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	RVN.exe
PID 3432 wrote to memory of 1424	3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	RVN.exe
PID 3432 wrote to memory of 1424	3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	RVN.exe
PID 1252 wrote to memory of 3784	1252	TXPlatforn.exe	TXPlatforn.exe
PID 1252 wrote to memory of 3784	1252	TXPlatforn.exe	TXPlatforn.exe
PID 1252 wrote to memory of 3784	1252	TXPlatforn.exe	TXPlatforn.exe
PID 1424 wrote to memory of 3652	1424	RVN.exe	cmd.exe
PID 1424 wrote to memory of 3652	1424	RVN.exe	cmd.exe
PID 1424 wrote to memory of 3652	1424	RVN.exe	cmd.exe
PID 3432 wrote to memory of 1184	3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 3432 wrote to memory of 1184	3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 3432 wrote to memory of 1184	3432	c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 1184 wrote to memory of 1872	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 1872	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 1872	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2128	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2128	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2128	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 3972	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 3972	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 3972	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2148	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2148	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2148	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2060	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2060	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2060	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 3652 wrote to memory of 1460	3652	cmd.exe	PING.EXE
PID 3652 wrote to memory of 1460	3652	cmd.exe	PING.EXE
PID 3652 wrote to memory of 1460	3652	cmd.exe	PING.EXE
PID 1184 wrote to memory of 1256	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	7Z.EXE
PID 1184 wrote to memory of 1256	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	7Z.EXE
PID 1184 wrote to memory of 1256	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	7Z.EXE
PID 1184 wrote to memory of 3240	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 3240	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 3240	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2600	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2600	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2600	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2476	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2476	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 2476	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	cmd.exe
PID 1184 wrote to memory of 3852	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	kms_x64.exe
PID 1184 wrote to memory of 3852	1184	HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe	kms_x64.exe
PID 3852 wrote to memory of 2936	3852	kms_x64.exe	cmd.exe
PID 3852 wrote to memory of 2936	3852	kms_x64.exe	cmd.exe
PID 3852 wrote to memory of 1240	3852	kms_x64.exe	cmd.exe
PID 3852 wrote to memory of 1240	3852	kms_x64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
"C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:1460

C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
3⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Temp=_tempheukms05241136488756 >>%windir%\ScriptTemp.ini
3⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [UserAgreement] >>%windir%\ScriptTemp.ini
3⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo UA=NO >>%windir%\ScriptTemp.ini
3⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
3⤵
PID:2060

C:\Windows\_tempheukms05241136488756\7Z.EXE
C:\Windows\_tempheukms05241136488756\7Z.EXE x C:\Windows\_tempheukms05241136488756\KMSmini.7z -y -oC:\Windows\_tempheukms05241136488756
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo [Direction] >%windir%\_tempheukms05241136488756\ScriptDir.ini
3⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Dir=C:\Users\Admin\AppData\Local\Temp >>%windir%\_tempheukms05241136488756\ScriptDir.ini
3⤵
- Drops file in Windows directory
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Name=HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe >>%windir%\_tempheukms05241136488756\ScriptDir.ini
3⤵
PID:2476

C:\Windows\_tempheukms05241136488756\kms_x64.exe
C:\Windows\_tempheukms05241136488756\kms_x64.exe
3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
4⤵
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:1240

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
992KB

MD5
8478bfdc561e59e75a97fd7a2b753770

SHA1
e71b0a5fb628a716b230fe59696e1818c87bbe3c

SHA256
ee2a3d2dd5aebc72f07ee56be21e402c999bca2d143db3c1def8c23347f831fb

SHA512
a9ebeea2deb6a12af58d518c29e3cc851617da667ad79ba26377f248ab6f19bcf22f2dfb9f63a6e001b43a75a5cbe08a093d67d143f8f220b87558995cad9e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
Filesize
7.9MB

MD5
39e90933e88c1571110d26e3d03a0273

SHA1
00506e7ae8f1c84bc24ee7f4e053d9f2393626d6

SHA256
a54456ee78ec9b0b683e8a548b59824226f81b0b90dc628fd3d625d53696a374

SHA512
348641ede4054a456e78be60f8abd3b4b21e8543e8c5764b9886e48f7d8914e49ad232ccdaa88c2924bd1ff872119e0acc925302f27a34922d520d1badb921d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6DED.tmp
Filesize
3.0MB

MD5
a17762dc8329359b11ea9ca9eb0ffe27

SHA1
a7214744a61a1ef92a79d1148a81fb55abff64c0

SHA256
2f7c8f3384995341436fa90c1a9e545613a57e1ab9e73d90d0774c819844e731

SHA512
54d379fbf28d2d1d6710150a4285f1ba05e553e4b19708c3ae6fc866f3ee8dc5189aeacf5fe035f45716a68399f72a46d58e824cc7e10053a833dac01f9f1501

Download Submit
C:\Windows\ScriptTemp.ini
Filesize
60B

MD5
0c2d784bd54aca1dd4a4d706f3d19aad

SHA1
e7dc8b81360f48d16c38f22d0d43344f91b49124

SHA256
6e060247f4a0fe1dab28b6a9aa302ab4db1686594061db087ac8782ada8739df

SHA512
6943d17c7597cbb7207d88d5f3805673a39f3a4bdca4a428f628f1f0a1334a93af90f44c26f4e59b3d265e961487ff0fd2b8d09cdc6b6057e3004d56d34eca5b

Download Submit
C:\Windows\ScriptTemp.ini
Filesize
68B

MD5
43c92082c832e330a8ed7cfe6b991f3e

SHA1
92d063b660ce7f738ac66bd02eea5c374310c107

SHA256
12d96013c0d56ec7a88ddbcdc3c85e97311c230078d04d1146e75d6614231d95

SHA512
ed141e2c973dc7b6e3ebdb8283d15759390d459962dec6877c496c5959516331b86caf30a3b62d2dea892280a550dd4cb350abd77a7b829e7a7c44b608f51fa2

Download Submit
C:\Windows\ScriptTemp.ini
Filesize
69B

MD5
08b74276e10ec8c574f47ec25344a484

SHA1
7f4e51acde95f16ee097aa21343ab19aa6d89129

SHA256
28ecbcbea684aec42685970a3e9ecfd599556c3df539d61f66d1122a92782328

SHA512
d91d6903e833ea279468f1c5d56f07375f43069d345889aa8341c2ca943799dbd27d358164274bc147c25db1deb9b95986e35a6aa0e99a4afca7b1f449288ffd

Download Submit
C:\Windows\_tempheukms05241136488756\7Z.EXE
Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Windows\_tempheukms05241136488756\DigitalLicence.7z
Filesize
489KB

MD5
1843ab0c616447ada3a452f01bc0df8e

SHA1
1f40068bc1ad5469768752f7b25c07b2567871c4

SHA256
67b0363a14716d81a7322f229b634ffa61161f80260d0e0c16af5a18bbae2b91

SHA512
153d5eec9a73d63b12d0089cd25c70f5a2c740eeb138a73beb096049693a685c08c8d605e536449cd7b1e0341796f3f1a3cfbc4d9ba9681c3390cd7041b92425

Download Submit
C:\Windows\_tempheukms05241136488756\HEU_Configuration.ini
Filesize
2KB

MD5
b74971f1fe581cf08e8f69124f5f2bcd

SHA1
dc56ff99d0204bd44928a925054f52d1c38c68f1

SHA256
b7dea91768212bc915345f82b9165f3bdef0f4333ea6738ac800758296fb5b00

SHA512
dd66bf6d9a03eb10027ae739ab2a97a481fca8778a4a5546275a2e266fd022b1e02b91d3e2d37d86b6c4bb7d895575b0b4cfa6d7c8289ff635246585fbde366c

Download Submit
C:\Windows\_tempheukms05241136488756\HEU_KMS_Renewal.xml
Filesize
2KB

MD5
a381b30e51ac126f51f421e082de0ea7

SHA1
5f847e828bd7b5dd0d02f4c505fcb084c69b068c

SHA256
84de47c26a7379ef5c31ad5452372e7477bfb739e2684d31c0db22cbed56d401

SHA512
89cacee08884390f06f79e4e41481eb90363099aa7da960ee3cef8cfcef03623105fe0be7ad2c88077b42ebc5efb21e5d713607850f48a191708298f34323180

Download Submit
C:\Windows\_tempheukms05241136488756\HEU_Set.ini
Filesize
47B

MD5
5251be66b4b2d836e6ecf183a3ae83e6

SHA1
e0f941232d0c3ba8906ca12b9de31d9b95495503

SHA256
eaed66f92ebdcc94dcf567a7e20ecff799751ded4cf563dc633c5bc13cfe3dc7

SHA512
bc996a2ff9bb8d2c9caefcff37449bb757a9b1c70bdf5473ac4fe45f6ba6d00c8d3efbc9d40b6421e12a28314515e3186625f73c2f017e3ca51bf1fc433b3a20

Download Submit
C:\Windows\_tempheukms05241136488756\OffScrub.7z
Filesize
753KB

MD5
05c11f2664d4ed209b6a0ebf198f56bd

SHA1
0e5ea1e0b728d8b2d5011bd6e56829b8dfbc8e68

SHA256
efe232e3e38e19073f438408a892e259d5672e46ce1469c73a7aaf6ede58f7d1

SHA512
81e2b5d96081ed19bff4da930240119e55e67990fa264f4f948870ebec8a3b13fad8c8284aafbd92dea35db72dbe06f10cb0dc2c5084cb51d2e07440c5f4fc6e

Download Submit
C:\Windows\_tempheukms05241136488756\ProduKey.exe
Filesize
75KB

MD5
21e92db033b3c12ae0f158d24c37df4f

SHA1
db1d1d24cdef74f69ea3937aad912e81e7303e34

SHA256
6bab04858fa717c2c6f17d6267435a6500aa63e34486c5a7e6ee243c4d0a63fa

SHA512
981b1418045a4cabcebcdecdaa08475290193ed4b261bb0ca15a966f15f672e314468df22234321865c20eb89051c10916bd074a764abca5888f503fc49327d6

Download Submit
C:\Windows\_tempheukms05241136488756\ScriptDir.ini
Filesize
54B

MD5
8ae2dae3a0651c88dc193f63deb0cdee

SHA1
4466469ed06e699dd8647263c4060fec752c5cc0

SHA256
b70662ce78f1b79d25502b40e95718f6f118ff4526f7e8153adf785e90e11f50

SHA512
1440888a5703c818053a3e7de13410e65dde4500ccfba3e1161eca05244fe5f4a7309fc1e20fddfdedfb669fdb0ec3ca6577a5f42b4400c06b1205e6929f9058

Download Submit
C:\Windows\_tempheukms05241136488756\ScriptDir.ini
Filesize
133B

MD5
3737328a8daaddfc95d274a856d9acd0

SHA1
b3260417cced54f7b21485cac815dc059fd3aaf5

SHA256
d59f5d6fb01d0b1b1f21123769c6637e5f88369ed6909ca42e5cba018404d887

SHA512
872336fe49b7a2585464bc769d0c2fcf307304493fffe75128c218b4283871f40299cb500350d770fef27174198f1e1e70705bbf7e1a2ab48f4bed293d98f80e

Download Submit
C:\Windows\_tempheukms05241136488756\SetupComplete.data
Filesize
173B

MD5
13e06d184fff389461413b492bdee1f8

SHA1
3977c70724a67be800f9b6cdce67fe78fec9adc6

SHA256
c7a8b216ba576b07cad119be0c82be0180d8e55bb254102ff3efd46b4b7c8036

SHA512
ad6e766eb8125918dfd4e9ab8cd51de1120c084f0f9571132a3007c01397e953f0fdd0dbc9f246b32fc7fc406941794ef1c8dabd613d28c2f6419f21738fa3df

Download Submit
C:\Windows\_tempheukms05241136488756\SvcTrigger.xml
Filesize
4KB

MD5
ade0007995da8218a924eae18dd5ffa4

SHA1
de4480d869df4e45e666e3ba74c87786d2ba01e9

SHA256
6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352

SHA512
25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95

Download Submit
C:\Windows\_tempheukms05241136488756\cert.7z
Filesize
595KB

MD5
5ffd2c6dc5dc2dc07fe5cd45448061f1

SHA1
a08c603c23a0fab43cd3903042de8c2c3cd26322

SHA256
7fd98aab6bac7b6264b2ef3ba7818c0521ef02793631f9d23e28929804bab325

SHA512
aec152ec9cce0917256a7d3fce49ae3cec43abd0dbffdde25a2eda52cd4bb6eee55f63a2169680a7b4b0e6c0792514f70bb1d0e397f627e87399b67ca4a0a61a

Download Submit
C:\Windows\_tempheukms05241136488756\digital.7z
Filesize
1.4MB

MD5
caf71eb57c23ce0d6703414893aed947

SHA1
25283ba2bc76b5af929e52a15de057198b843f6f

SHA256
7541ec02a4cbd62690d9aeb06d922a7382bcbfd7d17578a9b69cff3868b096da

SHA512
df3866bf09bd97c70d1f2488462f7c739043f8816192e7b734a70fcb8a377465aaf17799392d7ac173b090374f52ff71f6b7bd7a18ef9295452098720b26b87c

Download Submit
C:\Windows\_tempheukms05241136488756\kms-client.exe
Filesize
52KB

MD5
a83db3ac36bf6c660518ea41f6db700c

SHA1
2b98346e8737e50b63e14da9989aba8b61e99ce6

SHA256
47f5b3bbb071fda3f0540e1658a9d08d6526bfe2525288a1ba0c6d093a16bbf2

SHA512
e88b81c70059881fbb518719366a73e47db753b409391cf710c89c2e7f19e396d012a1a98ffb4fc9d78dc8ba96051234ce6255c1a6fb8548f0b66b1b0e8987d2

Download Submit
C:\Windows\_tempheukms05241136488756\kms-server.exe
Filesize
39KB

MD5
fb8202b9093d817326b3102ef4157964

SHA1
ee874efe4712035329c0a8e04a67556a8b8ac56f

SHA256
e9b964b13f6363997fb27078e2a21ee7f73cdaa0100aa29db45e63c5aa3220ce

SHA512
bb0dd7da730a5229e332802f320d7ca9d220612cd22d8463578d492d4fb4a8ebf9d67587ad28d1147a17e91ce85af32ab7bf46583713590a09c61d7a3eb0cb0a

Download Submit
C:\Windows\_tempheukms05241136488756\kms.exe
Filesize
1.6MB

MD5
6b0f259387d98c8cbcbc9e4ba727106b

SHA1
de746304596ad5530de973ee15626adada3793e0

SHA256
0361a5d5a46071b36100a801fbf8e7c63f023e8e56d80271a0382e3d1affae18

SHA512
3ee15aedf02538dc5bf4f6132e12657a01f356e3ec73b6176b6693077db221c7e395e6da05b606b5dcd6e31428c15472d363d4b39cd3bf7126b4c7f4ff82ff6b

Download Submit
C:\Windows\_tempheukms05241136488756\kms_x64.exe
Filesize
1.7MB

MD5
a64024c4871874c641abe4e601e22385

SHA1
d3a4e04450654202c8f13c33360ddebb0041f521

SHA256
c207cd6fc79c9ff1444a2c92b456f504c87aaf5dd9733271c8b0a00781188a70

SHA512
389363f57ba1dae6538717cfc253674c37be0e01fe6be1762c38aa75c4979bdcb450929eb14d6701b5df1109f6b60809a10a92123c3781a97f74fbccba004d16

Download Submit
C:\Windows\_tempheukms05241136488756\pic\1-1.bmp
Filesize
3KB

MD5
e0833d8bcd690690ef879ce9ba3c11c6

SHA1
135a54bbc8ee0985ed461cadb5f047595e200a56

SHA256
aa14bda30d6e8d2a7b16bb3fec8262baa3736986edefd054689f4efe530aa71f

SHA512
efac0a3e3be8888a1600682e1a9eb87da741f8be26ba755341640e866d88b3241b5c00b25218ea67fd9030c0b03554b7ca2702d65cff45377b1a7a64a8d58452

Download Submit
C:\Windows\_tempheukms05241136488756\pic\1-2.bmp
Filesize
3KB

MD5
3cb5c501213ab8c6cfe12fd92b529143

SHA1
90acb219726556f2f4bcf831a56240c61dc518f8

SHA256
e1ed58b8341b07f1f1eb9dd379206d4b81acefc1f7a487b77c79c3ed2886e33b

SHA512
9b925efda06bbb358f7cdb9a29bda2c411a5260445cf7286755dfbfec54eb413e34759f89a329361fd20dbc39df576f35fe81bf5138070a3f3cb0525ac4681f6

Download Submit
C:\Windows\_tempheukms05241136488756\pic\10-1.bmp
Filesize
4KB

MD5
88aec5f3833949da9c9e1a75fb1f7be6

SHA1
a4db450392cd24a8d258cec86657d539d6170dc3

SHA256
d8989332a09e0f0d099ec3cc50bb95a9b9b4b2aeb2d735f0d1a4ffd8ed5f246a

SHA512
78422f2ed32dfbc80896062a10e5d58d8d8b4dff11db9714e036621c5ccd44c3551d3988f10a03ab80ccbbaa5a6a3d45cd68c307a3b87a6e5161aca8d3c2416c

Download Submit
C:\Windows\_tempheukms05241136488756\pic\10-2.bmp
Filesize
4KB

MD5
808072808e6ffff8ccd6f6878476e5a6

SHA1
56871b1ec67c978fcbbc07fa7a8d63bcae947c6d

SHA256
0a5aca420d69bc4752fc52825a5cdf5017f15e55c05e1a014c3eb01dcff4c6e6

SHA512
e92960656339e0a8923941f15fe6537d64d0e1b43c89e4c01c99d8a01055bd50c247f52f7debdc60ced725406f8589d0387d7a3f48e381956b88b8331869b231

Download Submit
C:\Windows\_tempheukms05241136488756\pic\10-3.bmp
Filesize
4KB

MD5
14069ab8547a7aeb723b2786c2487587

SHA1
0a2b3f915496a5a75ef693adfbc8fd07c9cd8850

SHA256
db79399797d374cca31c7dbc4b8e16b03f5d0e75b9c903dd6b4cf18726a51098

SHA512
3ce4bf7992146de13a110298b066b0f27c5c1c583450a074c347d6df6ca867b0a7779b61bb4466cf7d78776c458dbf51a631da449a3886a08d801b870baeea13

Download Submit
C:\Windows\_tempheukms05241136488756\pic\11-1.bmp
Filesize
4KB

MD5
9dfc76f1fac5fe605e230474cb81b7b6

SHA1
bc1b282c5cf378869ef79a10111cae1736e53e50

SHA256
0505c7edfb2bb0823c34242a45ac8e60e1867dbb6a102114041a97c0d643e033

SHA512
69e8d06b584b2f496e329fe392bfa28961c707406a8e1a694a7fc72b3e9e078ff1c68fe5a914518278b26f05f6549337fcfc9c38c9a778f32d13e6f429f92be8

Download Submit
C:\Windows\_tempheukms05241136488756\pic\11-2.bmp
Filesize
4KB

MD5
a317949559be707aa631a95adeb810af

SHA1
d778104b63e4ccd96d34b3739d23137457f1499e

SHA256
5de82be4f8d7b6b949ddf2fa8e9240dde10f61fa405d12c48b7f3948e8ee68fb

SHA512
caf218d76dee6f44845d4280957cb8b85401f1e884795fe91300d92f11096c74604d3a46b79d7119d77f124e63606d794adbe90a66f52f614f7a65715302428e

Download Submit
C:\Windows\_tempheukms05241136488756\pic\12-1.bmp
Filesize
4KB

MD5
68bcbaa656e0bab9290d91a2d33827b7

SHA1
5c8f9d106b5fdce45d1156370e095e60d63dddb3

SHA256
33adbe2110ec619b21b30fb9463fea603a26a29c8a285ca8ffb7e2ac8c3ca019

SHA512
5c7a75cdbdeb6314b68bb342aa4847543c9c5204e6c810d35e3cb6ad470689ee5745f941c594425f7c1516208e33d8b53ccfaea0e4e9661d8084dc91d740c68e

Download Submit
C:\Windows\_tempheukms05241136488756\pic\12-2.bmp
Filesize
4KB

MD5
a833b05a3ff4fef229bf73285bc6efb8

SHA1
f0095103468e14f2faa0b8f88301dcb4a125534a

SHA256
1fbe4d4310ae3755db6fe4a8c29960387554109f78419610e4f173fdc609ccd3

SHA512
7acb5411b7e67c962e7b0bd4c49a7f851a78290c76689ddf572c91dc4896b243aa7fe2f71efeb595193e933c3972eefbcb71e810bf4b2dfcada0dc24e2867291

Download Submit
C:\Windows\_tempheukms05241136488756\pic\19-1.bmp
Filesize
536B

MD5
addd7eaef8a73b1178c103661e17feff

SHA1
e62d9fc0e837c1f365385488e11df2677547f0a6

SHA256
0dc79af8aba2990023f45a6afae6e081e0dbd65b09b3790ad9ad91053b985ad1

SHA512
17639a0a6c0a779c67c23bc4f708f4fc98c03888219f9e7f6bb60ee166e16246a10b31e61fdd119d7d9fa32a6d9d8b2fb9d34786a93412cbdd7db467c133da63

Download Submit
C:\Windows\_tempheukms05241136488756\pic\2-1.bmp
Filesize
3KB

MD5
afb60ed1ff996a85f0e7cbff94248ae4

SHA1
c62f805d42e7d9a70af8d66d6e226351e9907962

SHA256
546932dfd2f371720662d977bdf20a826d29f39354135b4f65ed06eac4fa7119

SHA512
c1ca4710ba01e96c4a28c3a23cae6073f1d59ca070c20ca3b25541525f75212cceb2327b8e99b4d321f5522535c86206ebe58e7a96d15749ca29f501c34fb22b

Download Submit
C:\Windows\_tempheukms05241136488756\pic\2-2.bmp
Filesize
3KB

MD5
fa2a0513abd15f913c8cb2baca80085c

SHA1
80386b9a0efa1149334f9917578316f9dd943c84

SHA256
a02b832b8576ba7973e78aa70e482443110a5c681b4d9ce9a32c99cd2889582e

SHA512
77b602b31b9958af757b168f41718e52707869ae7b275bd0f37d58ebbbef1cdb9db8bec2b84642783ddebdf4da06a45d48c6f28c33118ab372efd7b727124e1e

Download Submit
C:\Windows\_tempheukms05241136488756\pic\2-3.bmp
Filesize
3KB

MD5
f4dc67e990a6e81e5b27d5a883ea93c5

SHA1
9e26590186bda1174c69ed2572074794d522e096

SHA256
5a9b4aac61c2f7ac2e4e65030bd40d7323402c1a2b0cb65a92bab84224787e9f

SHA512
d6ca29df6a4189aa751e122016f16f6ef46ffef56bf6e01017fdde5acd85fec6bc965c8809044dea13a59b3e652bf2da857211cb59a56b3cc7534e2e974b7749

Download Submit
C:\Windows\_tempheukms05241136488756\pic\3-1.bmp
Filesize
3KB

MD5
eb844a94dba2c7db8b3d5d358826bfa1

SHA1
89b84a0e2d4d2e59f0916cb7eff8178f0f109f46

SHA256
42e6e8e78c5a13b195140952cda5bd6468d7e14ef0c2cf081839941fe6426ce8

SHA512
e75c572766afbc9225a23c33a0f08ffd10ac15cf9bcdfad0060f347894f3be76633600d863acf97ebc9f9c4ede6d58988c05b1f0f2856a9f2eaae5e25ff152e7

Download Submit
C:\Windows\_tempheukms05241136488756\pic\3-2.bmp
Filesize
3KB

MD5
f58f7c0d4e9543501fc24c7c40d05749

SHA1
bab6cacc75236d306b3f7b7c5c7983694577fa20

SHA256
af281d2a72d60d2270d24bc75ad4ade7f2dc27eaeb207122f19cd9ee12d39df6

SHA512
ac7f2ab63a22a501e6ab3baf6f6995e01ec04df4db13c818bb445e9d5323bacd39b72bd9d3909ef175c4c5f4456914b7abc02e4a4a6353b5f5b1346e1a026515

Download Submit
C:\Windows\_tempheukms05241136488756\pic\3-3.bmp
Filesize
3KB

MD5
6bced572118957cdbb06e3ea7edfb1b1

SHA1
c844b3a797052062a41c93344df10e7c0c000d49

SHA256
1e33d33c3a829d7919e5bb6980a2677641d3cfbdb844347be8ba82f8445e07fa

SHA512
e52c8074b8d239a5f756a13221b66d91e0428ec12d2a785bbb98935ccb7eb2ca9f53a5fbe54a87d5631b8cabbb67076caafd520b428231cf9bce0e3c7b23569f

Download Submit
C:\Windows\_tempheukms05241136488756\pic\4-1.bmp
Filesize
3KB

MD5
5ce46152706f7d7b5d48a088cd15a8a6

SHA1
f7fbce4fd7e646a6889b80d58f2b1292d6f9e680

SHA256
d7d93929f032db7a0b6b11f09e58ee3d2260c45f2861ffb95753a983d34ec337

SHA512
392443e7959098c653ae9640c59734ab51784f6e0af142a280a44359c0238ab4d8c9fb255797f0f3e64612c133e18e12bd0b1341f661dd65e54c7bec05a4829f

Download Submit
C:\Windows\_tempheukms05241136488756\pic\4-2.bmp
Filesize
3KB

MD5
751e2e1ca20bfc4b662084638ecc15c1

SHA1
a010d6551bb2c40ccb7fff9a7782df06df7716aa

SHA256
3e6fdd20c78c83596568133f651c209c9f1ecd98e8698f209b27736343767314

SHA512
7e09e7f70ead62b1265b5fdb972a1c7a2fe2a318e90ce4d630fb7b999498f2fc9909439177ff03eb7970106bc5fc7ea083a8498d0917ccb8a3d965cac74b0fd6

Download Submit
C:\Windows\_tempheukms05241136488756\pic\5-1.bmp
Filesize
2KB

MD5
6ea083bd67cd3a4433476ec617312af9

SHA1
84ef840c98fc31bc93ad04cb0875dd1042168c64

SHA256
57759d7ebb145fe8d3ca830f563ddad615a12ca569f0e0e44c2db471dabbe00e

SHA512
5f18cabc3b50a3d4f193423f211071a2e4d17a1325593892deb8282344745133e7b688bedcb4a015c0163a473c36b696728348303ee1c66d4debf59cdbbe9063

Download Submit
C:\Windows\_tempheukms05241136488756\pic\5-2.bmp
Filesize
2KB

MD5
56c1052619ced459ac5869cdd5e85cd2

SHA1
1db42703988b429f035b0b433461950e85ca7346

SHA256
d356d45501bffe21e0e9587022f5fc01f31db5a96715f72ec216a52a94453dcd

SHA512
161ec85d0d54d70f2126ca41a5be7308c18c8d05aaff6127fdee50e937749b2cf721423a8da858ab250e83a16cb7827e9583b8d56343ca0b5eb263acf5c3f2c3

Download Submit
C:\Windows\_tempheukms05241136488756\pic\6-1.bmp
Filesize
3KB

MD5
d2dde87b25bf39f9f3a6d53ee490c44c

SHA1
5eec04addcb350fc436a67841dd159784f417279

SHA256
2a15651060e3a526e84ce8ea31f08b879ff578f4e280cd9476cbabaee298d138

SHA512
82f08e247582b81436504e71ce40efd7afe254aef8bbc0812bd545c8c908729909890d57641727febdf35163b832066537317eed8b1c1c2cced0cba7f6fa8b06

Download Submit
C:\Windows\_tempheukms05241136488756\pic\6-2.bmp
Filesize
3KB

MD5
83feb1292d3c5ca59bf6ff471fc57442

SHA1
b9d793a81321ab9474c357408fa4fff11cceb79d

SHA256
e81611c330c9e4d9547c79336335a3edfca4297add5ad55d221dc77c5bf94ab2

SHA512
1aad3cb84db641d9500d09a530b358d7e41410f030984f50278bee89ca2dbdfb21a2c77482952e70f3f582f154912790b3c18376c97f3c7cec9bcce33c9b5f0c

Download Submit
C:\Windows\_tempheukms05241136488756\pic\7-1.bmp
Filesize
3KB

MD5
de93e767f60320ca8bef2754f3ee0e6a

SHA1
5b20b939db7a62de09595b93234600c50b6587ea

SHA256
8984d81be5dcd0d7472c175e65a7f4c083340b4e32878e32693aeaae6228e492

SHA512
8fd2de6e167ec500682cdaa5aaad0a10757103c55f900e7474bc502dfd03776bdf3807b46e87e8ef030b743ed998b0ca8384128da74f9f9e967fc8996a78640e

Download Submit
C:\Windows\_tempheukms05241136488756\pic\7-2.bmp
Filesize
3KB

MD5
23b3c0b4445d30081d5d2d7d1ea46509

SHA1
2b2750baff4b0b501061b8bbba5c898b6164130b

SHA256
b4d5349fd6313734ff0f79c1f559fcd82712aab463393cc7f595279065fdde26

SHA512
e400f12e5252c5490fac427a635d011f8c6226ce13552566a44afb842781edd214fe18dc698f6fa9089e3e095d9dd466e76278fa213240fc3301f79abc0c28ce

Download Submit
C:\Windows\_tempheukms05241136488756\pic\8-1.bmp
Filesize
4KB

MD5
17a27e0183f025009e0e9ee49d7de45d

SHA1
77da51103a60338e10c10fd13d74164e0b2f1849

SHA256
e1e763a89dcc1d346516a9123580c8e540b47062dbc4d666036fb0967bf08306

SHA512
1b88c3bc2bc01f056ff16d3e10f22d6d435c3c70142e8dba90d59b2294c335da70d806e19b08b7a649b017c87515855cb2a4da362bea8a86cd7ea93a834e2b34

Download Submit
C:\Windows\_tempheukms05241136488756\pic\8-2.bmp
Filesize
4KB

MD5
adee5867f985b7e4c11a4433dd225b1d

SHA1
6c0b57835210c7a9909aae95796b0e1da6ed63f9

SHA256
303f15369554d1e285b4a90581d45a86081d3700895b387263b5bdff46ceb687

SHA512
1677144c620083b5894a285cc32cc5a552f792e489a7183b0793336d7dfd100aaeaef4295815cf966ab41998bcc9d5bb0a2e95e2f3053d7d8c39909ed4526b93

Download Submit
C:\Windows\_tempheukms05241136488756\pic\9-1.bmp
Filesize
4KB

MD5
043d647ae29e9dd859ddba50d204c5ff

SHA1
af1f095cb9a1fcc838a5ea5975601358967be197

SHA256
0cc4107a5b9319de1b332ffae35b60476273b0bdb3679312087043eb77d7e95d

SHA512
5dfaf6b6d872f6257974910908ca8a2e9a254b87cbc1cbbbf7d9c7d1fd11471ee3be54f42da403fc7162b80522199c4f0472c10542ecddc0ae9f91ed1a525885

Download Submit
C:\Windows\_tempheukms05241136488756\pic\9-2.bmp
Filesize
4KB

MD5
86c160c68d550b7a2acb6b46c0fdd25a

SHA1
b2ec02ca7d571d2907ed114dd46253ead04bcd05

SHA256
f6bde4412f12c155a4ad36f1084bce76292d16597e32942e9818ce3fb75be8ac

SHA512
a3c1301abdea7f7acd5cb1cb6cb61df900f3020d7dfddf6be382a57dea8e25abcf9fbbaff7422f23a0130213678748d73addd8c70803f9ec8a63051bd62e3c16

Download Submit
C:\Windows\_tempheukms05241136488756\pic\Close.png
Filesize
2KB

MD5
e71b36478c663f85777cd8c8cadef39a

SHA1
c622a31feb72dd8fd3a500892d5defa491950036

SHA256
64cda4f38899f8c9f51740e88f0459f6843b1d1a2b60400a42779af70fd7cdd6

SHA512
c868b1faa8d560cf76cf82ca2fe48188fdb2998423c09ef2a08bdae069a190adcd49bba89e542c1bf0c7276d8e5a95f22aa54c752fd7797f26eb7dee945a4827

Download Submit
C:\Windows\_tempheukms05241136488756\pic\Color.png
Filesize
2KB

MD5
e526c2d1ef30b88f42194565f5d0b4d2

SHA1
d0d9fe934b97e7e1f7de3fb2ba985e8b92306f89

SHA256
9743655c6c18ccfe763eb5a7b3b7b1b59d253d04252914457d9fc27e1906d255

SHA512
5631f38662ded91dc930f5c33b2dd6a447c02068209b3c27beab8db35f5e437d3171d7d6caa346a903396179eb88429a6ced7b7b6d07dc240dd284c757ed7d35

Download Submit
C:\Windows\_tempheukms05241136488756\pic\Min.png
Filesize
2KB

MD5
7a2ce401af45e36cbdd5d61043e48d92

SHA1
84d65c79df30a8d05ae48c040066dfc72e76e02f

SHA256
d316a0f310f74325f57416d89946aa09e6e7785bbfbba3fae9fcb3b0e5f8c741

SHA512
d29cc67cd8e40f3cd4ac28ad222805fda5af27dd9bb83c0cc2caf76942b783c57d68ea0827377eb48cbbc0b0f121741a465f87c3bb70ae7c94576e7d950078d2

Download Submit
C:\Windows\_tempheukms05241136488756\pic\Setting.png
Filesize
2KB

MD5
547b1994623c0bf11e5cddd515fae9e4

SHA1
94622ebf0ca77985ebde633fab653115d55085fb

SHA256
91c6eb4d8c09e9fd8ee2ca6f7d8580698e5fb24a6335b6315b0f88662376f706

SHA512
262a0a8defaa2cf75d7077f3daf2aef71b82d3c036ca865b65286b3cc7a4d6d46fa8f7ad0eb602d8cf16ff67d646ca4f9c5a8e2202d56556025d9e053913c88e

Download Submit
C:\Windows\_tempheukms05241136488756\pic\skin.png
Filesize
2KB

MD5
ca9775a98825ce6705418f15ee08eb6f

SHA1
00ec33d8677092e9cfbfd24660b62ff97b7a92cf

SHA256
d9c6a796ca0edd6ccc838dbf55628973b999c63e19af7a09cff8f86ec1d080bc

SHA512
5e255cd1ec2a84da856e42f1a244dc7b7616c3035e8692650c1572f218d163954449f25af0705009ea00b2fb89d44af58903bf6f06b7e934f8c01f075f2bfa7b

Download Submit
C:\Windows\_tempheukms05241136488756\pic\smart-1.bmp
Filesize
29KB

MD5
8022a6caed299ad3afc870cb6c0d28b6

SHA1
cba4fb19b204e324b730b0609c282f7ce20ba824

SHA256
001f4adc1266e944c63bb0e823f387aa342694ba77aa7c001dd7de3800e19b88

SHA512
95a1670a46e6e5a8d4ef76b6f5ce4a81c376d8f107ec406cc688c94cda4b62872064170a90afb536101713558fdb0750e2d629745da0d649842a232333e7a935

Download Submit
C:\Windows\_tempheukms05241136488756\pic\smart-2.bmp
Filesize
29KB

MD5
0edef2c665f84021efa62f8edbbf9b97

SHA1
817f131bdb9f661df00be5dd4db111aa6fc51c34

SHA256
f0d035596bade49f611a59fd0d0568f10030ed1ed52d8d524671be13d7d5f2f0

SHA512
496049c4b20b8adcb9b4dcfabc8832332ed299a14e90fbb162993470ece28c74983371b35b39205c591971b3eaa693ed53c497775e28b723ff29f6b50069e6ae

Download Submit
C:\Windows\_tempheukms05241136488756\wim.xml
Filesize
7KB

MD5
9d2a8d70c850ce12bd258a5b22cdea52

SHA1
f9ab84a64d00d9ea65c69a3ac25ae1536c54c934

SHA256
1b96471c5bf67a6c440a05357a29e7b20d04ed2fcd2f83f924a93e29a1dba239

SHA512
cef8f1c341756eef28e38085c3bb460ba14af0f8141b63c49f8ff0c453455973513d2ff571951f085f36e4057e60e938f5e327fc94b3946eb82f4a8e76bf787c

Download Submit
memory/1252-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1252-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1252-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1252-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1252-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1424-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1424-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1424-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1424-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3784-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3784-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3784-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download