Analysis Overview
SHA256
c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a
Threat Level: Known bad
The file c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Detect PurpleFox Rootkit
Gh0st RAT payload
PurpleFox
Nirsoft
Sets service image path in registry
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
UPX packed file
AutoIT Executable
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-24 11:36
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 11:36
Reported
2024-05-24 11:39
Platform
win7-20231129-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| N/A | N/A | C:\Windows\_tempheukms052411364641\kms_x64.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\4-1.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\Close.png | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\TAB2.png | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\x64\cleanospp.exe | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\JOOYON.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\11-1.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\YUTC.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\logo.png | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\Min.png | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\uefi.exe | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\SONY.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\VESTEL.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\x86\cleanospp.exe | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\THOA21.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\2-1.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\15-2.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\2-2.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\FSC.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\SONY.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\OEMDumpNET35.exe | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\wim.xml | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\OLIPRO.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\_ASUS_.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\HASEE.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\QBEXCO.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\smart-1.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\7Z.EXE | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\ACRSYS.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\12-2.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\3-1.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\BACK1.jpg | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic0\backup-en.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic0\ver.ico | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\FOUNDR.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\K.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\FUJ.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\13-2.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\TAB4.png | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OffScrub.7z | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OffScrub.7z | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\POSITI.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\gr1dr1 | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic0\uninst-tra.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\kms.exe | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\x86 | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\HPQOEM.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\FUJ.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic0\left.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\IBM.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\LOGIN2.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\MITAC.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\emulateslic | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\12-2.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\CREAAS.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\OEM\cert\HYRSLP.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\20-2.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\bootsect.exe | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\TAROX1.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\Office2010OSPP\OSPP.VBS | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\pic\17-2.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\3-3.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\cert.7z | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms052411364641\OEM\cert\HIGRAD.xrm-ms | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms052411364641\pic\2-3.bmp | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts: | C:\Windows\_tempheukms052411364641\kms_x64.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| N/A | N/A | C:\Windows\_tempheukms052411364641\kms_x64.exe | N/A |
| N/A | N/A | C:\Windows\_tempheukms052411364641\kms_x64.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\_tempheukms052411364641\kms_x64.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| Token: 35 | N/A | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\_tempheukms052411364641\7Z.EXE | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
"C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe"
C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Temp=_tempheukms052411364641 >>%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [UserAgreement] >>%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo UA=NO >>%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
C:\Windows\_tempheukms052411364641\7Z.EXE
C:\Windows\_tempheukms052411364641\7Z.EXE x C:\Windows\_tempheukms052411364641\KMSmini.7z -y -oC:\Windows\_tempheukms052411364641
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo [Direction] >%windir%\_tempheukms052411364641\ScriptDir.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Dir=C:\Users\Admin\AppData\Local\Temp >>%windir%\_tempheukms052411364641\ScriptDir.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Name=HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe >>%windir%\_tempheukms052411364641\ScriptDir.ini
C:\Windows\_tempheukms052411364641\kms_x64.exe
C:\Windows\_tempheukms052411364641\kms_x64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
Files
\Users\Admin\AppData\Local\Temp\RVN.exe
| MD5 | 80ade1893dec9cab7f2e63538a464fcc |
| SHA1 | c06614da33a65eddb506db00a124a3fc3f5be02e |
| SHA256 | 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd |
| SHA512 | fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4 |
memory/3044-5-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3044-9-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3044-11-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3044-10-0x0000000010000000-0x00000000101B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
| MD5 | 39e90933e88c1571110d26e3d03a0273 |
| SHA1 | 00506e7ae8f1c84bc24ee7f4e053d9f2393626d6 |
| SHA256 | a54456ee78ec9b0b683e8a548b59824226f81b0b90dc628fd3d625d53696a374 |
| SHA512 | 348641ede4054a456e78be60f8abd3b4b21e8543e8c5764b9886e48f7d8914e49ad232ccdaa88c2924bd1ff872119e0acc925302f27a34922d520d1badb921d4 |
C:\Windows\ScriptTemp.ini
| MD5 | d20855712f120699977dada8e3aabca5 |
| SHA1 | 1fd5517494e80a924060306abcf93e1be8b7b70a |
| SHA256 | 98fd2e85f3625450edc68c2cfc577b2eae600c79c74fdbcd3a16d4164c497fe0 |
| SHA512 | 96851d08c71b2ea6469c8e142bc87984c10dde50c99ec4fecfb7011431b3dbcb1d59463df9ed246289f17ecf869d9e2d0910b1dcd10a6232af2c7f9adf6ab463 |
memory/2600-36-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2600-40-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\ScriptTemp.ini
| MD5 | 65e36e9ee66d40b2b23059966f6ee34c |
| SHA1 | 79c4a7e07acc8e73d77ae41bf6f69cb5ae64946e |
| SHA256 | f93d96d024aa245300eb875b3e762ffa3c97afb9b5359670d2bd057721ca703b |
| SHA512 | d04d877031dce4238fe57f3130c6d949c7bd46bb8f4a113870aff922527c03e3d7f0d1fb7e7482eb5a9e2a3365149fd2033c6e6a8cb9c1963fe84caf08129519 |
C:\Windows\ScriptTemp.ini
| MD5 | 7d940576007a02746dca47241623fd94 |
| SHA1 | eee21f67083400f2d318ccb28ed293d8ce815660 |
| SHA256 | f308daa8d533ac25c2fafbd2cb9ab7562e4da25f17f2b9cc217e3fffbb8109b0 |
| SHA512 | a1a38c9eb45980f2c422917f75bef29bcc4408793b45437b29326d9c613091b49b9f264c3063022c699f4860d3b9f71992e4f7a2fd5f96e510002037c6f83aae |
memory/2600-46-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\_tempheukms052411364641\KMSmini.7z
| MD5 | a17762dc8329359b11ea9ca9eb0ffe27 |
| SHA1 | a7214744a61a1ef92a79d1148a81fb55abff64c0 |
| SHA256 | 2f7c8f3384995341436fa90c1a9e545613a57e1ab9e73d90d0774c819844e731 |
| SHA512 | 54d379fbf28d2d1d6710150a4285f1ba05e553e4b19708c3ae6fc866f3ee8dc5189aeacf5fe035f45716a68399f72a46d58e824cc7e10053a833dac01f9f1501 |
\Windows\_tempheukms052411364641\7Z.EXE
| MD5 | 43141e85e7c36e31b52b22ab94d5e574 |
| SHA1 | cfd7079a9b268d84b856dc668edbb9ab9ef35312 |
| SHA256 | ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d |
| SHA512 | 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc |
C:\Windows\_tempheukms052411364641\ScriptDir.ini
| MD5 | 8ae2dae3a0651c88dc193f63deb0cdee |
| SHA1 | 4466469ed06e699dd8647263c4060fec752c5cc0 |
| SHA256 | b70662ce78f1b79d25502b40e95718f6f118ff4526f7e8153adf785e90e11f50 |
| SHA512 | 1440888a5703c818053a3e7de13410e65dde4500ccfba3e1161eca05244fe5f4a7309fc1e20fddfdedfb669fdb0ec3ca6577a5f42b4400c06b1205e6929f9058 |
C:\Windows\_tempheukms052411364641\ScriptDir.ini
| MD5 | 3737328a8daaddfc95d274a856d9acd0 |
| SHA1 | b3260417cced54f7b21485cac815dc059fd3aaf5 |
| SHA256 | d59f5d6fb01d0b1b1f21123769c6637e5f88369ed6909ca42e5cba018404d887 |
| SHA512 | 872336fe49b7a2585464bc769d0c2fcf307304493fffe75128c218b4283871f40299cb500350d770fef27174198f1e1e70705bbf7e1a2ab48f4bed293d98f80e |
C:\Windows\_tempheukms052411364641\cert.7z
| MD5 | 5ffd2c6dc5dc2dc07fe5cd45448061f1 |
| SHA1 | a08c603c23a0fab43cd3903042de8c2c3cd26322 |
| SHA256 | 7fd98aab6bac7b6264b2ef3ba7818c0521ef02793631f9d23e28929804bab325 |
| SHA512 | aec152ec9cce0917256a7d3fce49ae3cec43abd0dbffdde25a2eda52cd4bb6eee55f63a2169680a7b4b0e6c0792514f70bb1d0e397f627e87399b67ca4a0a61a |
C:\Windows\_tempheukms052411364641\digital.7z
| MD5 | caf71eb57c23ce0d6703414893aed947 |
| SHA1 | 25283ba2bc76b5af929e52a15de057198b843f6f |
| SHA256 | 7541ec02a4cbd62690d9aeb06d922a7382bcbfd7d17578a9b69cff3868b096da |
| SHA512 | df3866bf09bd97c70d1f2488462f7c739043f8816192e7b734a70fcb8a377465aaf17799392d7ac173b090374f52ff71f6b7bd7a18ef9295452098720b26b87c |
C:\Windows\_tempheukms052411364641\HEU_Configuration.ini
| MD5 | b74971f1fe581cf08e8f69124f5f2bcd |
| SHA1 | dc56ff99d0204bd44928a925054f52d1c38c68f1 |
| SHA256 | b7dea91768212bc915345f82b9165f3bdef0f4333ea6738ac800758296fb5b00 |
| SHA512 | dd66bf6d9a03eb10027ae739ab2a97a481fca8778a4a5546275a2e266fd022b1e02b91d3e2d37d86b6c4bb7d895575b0b4cfa6d7c8289ff635246585fbde366c |
C:\Windows\_tempheukms052411364641\DigitalLicence.7z
| MD5 | 1843ab0c616447ada3a452f01bc0df8e |
| SHA1 | 1f40068bc1ad5469768752f7b25c07b2567871c4 |
| SHA256 | 67b0363a14716d81a7322f229b634ffa61161f80260d0e0c16af5a18bbae2b91 |
| SHA512 | 153d5eec9a73d63b12d0089cd25c70f5a2c740eeb138a73beb096049693a685c08c8d605e536449cd7b1e0341796f3f1a3cfbc4d9ba9681c3390cd7041b92425 |
C:\Windows\_tempheukms052411364641\HEU_KMS_Renewal.xml
| MD5 | a381b30e51ac126f51f421e082de0ea7 |
| SHA1 | 5f847e828bd7b5dd0d02f4c505fcb084c69b068c |
| SHA256 | 84de47c26a7379ef5c31ad5452372e7477bfb739e2684d31c0db22cbed56d401 |
| SHA512 | 89cacee08884390f06f79e4e41481eb90363099aa7da960ee3cef8cfcef03623105fe0be7ad2c88077b42ebc5efb21e5d713607850f48a191708298f34323180 |
C:\Windows\_tempheukms052411364641\kms-client.exe
| MD5 | a83db3ac36bf6c660518ea41f6db700c |
| SHA1 | 2b98346e8737e50b63e14da9989aba8b61e99ce6 |
| SHA256 | 47f5b3bbb071fda3f0540e1658a9d08d6526bfe2525288a1ba0c6d093a16bbf2 |
| SHA512 | e88b81c70059881fbb518719366a73e47db753b409391cf710c89c2e7f19e396d012a1a98ffb4fc9d78dc8ba96051234ce6255c1a6fb8548f0b66b1b0e8987d2 |
C:\Windows\_tempheukms052411364641\HEU_Set.ini
| MD5 | 5251be66b4b2d836e6ecf183a3ae83e6 |
| SHA1 | e0f941232d0c3ba8906ca12b9de31d9b95495503 |
| SHA256 | eaed66f92ebdcc94dcf567a7e20ecff799751ded4cf563dc633c5bc13cfe3dc7 |
| SHA512 | bc996a2ff9bb8d2c9caefcff37449bb757a9b1c70bdf5473ac4fe45f6ba6d00c8d3efbc9d40b6421e12a28314515e3186625f73c2f017e3ca51bf1fc433b3a20 |
C:\Windows\_tempheukms052411364641\kms-server.exe
| MD5 | fb8202b9093d817326b3102ef4157964 |
| SHA1 | ee874efe4712035329c0a8e04a67556a8b8ac56f |
| SHA256 | e9b964b13f6363997fb27078e2a21ee7f73cdaa0100aa29db45e63c5aa3220ce |
| SHA512 | bb0dd7da730a5229e332802f320d7ca9d220612cd22d8463578d492d4fb4a8ebf9d67587ad28d1147a17e91ce85af32ab7bf46583713590a09c61d7a3eb0cb0a |
C:\Windows\_tempheukms052411364641\kms.exe
| MD5 | 6b0f259387d98c8cbcbc9e4ba727106b |
| SHA1 | de746304596ad5530de973ee15626adada3793e0 |
| SHA256 | 0361a5d5a46071b36100a801fbf8e7c63f023e8e56d80271a0382e3d1affae18 |
| SHA512 | 3ee15aedf02538dc5bf4f6132e12657a01f356e3ec73b6176b6693077db221c7e395e6da05b606b5dcd6e31428c15472d363d4b39cd3bf7126b4c7f4ff82ff6b |
C:\Windows\_tempheukms052411364641\kms_x64.exe
| MD5 | a64024c4871874c641abe4e601e22385 |
| SHA1 | d3a4e04450654202c8f13c33360ddebb0041f521 |
| SHA256 | c207cd6fc79c9ff1444a2c92b456f504c87aaf5dd9733271c8b0a00781188a70 |
| SHA512 | 389363f57ba1dae6538717cfc253674c37be0e01fe6be1762c38aa75c4979bdcb450929eb14d6701b5df1109f6b60809a10a92123c3781a97f74fbccba004d16 |
C:\Windows\_tempheukms052411364641\OffScrub.7z
| MD5 | 05c11f2664d4ed209b6a0ebf198f56bd |
| SHA1 | 0e5ea1e0b728d8b2d5011bd6e56829b8dfbc8e68 |
| SHA256 | efe232e3e38e19073f438408a892e259d5672e46ce1469c73a7aaf6ede58f7d1 |
| SHA512 | 81e2b5d96081ed19bff4da930240119e55e67990fa264f4f948870ebec8a3b13fad8c8284aafbd92dea35db72dbe06f10cb0dc2c5084cb51d2e07440c5f4fc6e |
C:\Windows\_tempheukms052411364641\ProduKey.exe
| MD5 | 21e92db033b3c12ae0f158d24c37df4f |
| SHA1 | db1d1d24cdef74f69ea3937aad912e81e7303e34 |
| SHA256 | 6bab04858fa717c2c6f17d6267435a6500aa63e34486c5a7e6ee243c4d0a63fa |
| SHA512 | 981b1418045a4cabcebcdecdaa08475290193ed4b261bb0ca15a966f15f672e314468df22234321865c20eb89051c10916bd074a764abca5888f503fc49327d6 |
C:\Windows\_tempheukms052411364641\wim.xml
| MD5 | 9d2a8d70c850ce12bd258a5b22cdea52 |
| SHA1 | f9ab84a64d00d9ea65c69a3ac25ae1536c54c934 |
| SHA256 | 1b96471c5bf67a6c440a05357a29e7b20d04ed2fcd2f83f924a93e29a1dba239 |
| SHA512 | cef8f1c341756eef28e38085c3bb460ba14af0f8141b63c49f8ff0c453455973513d2ff571951f085f36e4057e60e938f5e327fc94b3946eb82f4a8e76bf787c |
C:\Windows\_tempheukms052411364641\SvcTrigger.xml
| MD5 | ade0007995da8218a924eae18dd5ffa4 |
| SHA1 | de4480d869df4e45e666e3ba74c87786d2ba01e9 |
| SHA256 | 6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352 |
| SHA512 | 25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95 |
C:\Windows\_tempheukms052411364641\SetupComplete.data
| MD5 | 13e06d184fff389461413b492bdee1f8 |
| SHA1 | 3977c70724a67be800f9b6cdce67fe78fec9adc6 |
| SHA256 | c7a8b216ba576b07cad119be0c82be0180d8e55bb254102ff3efd46b4b7c8036 |
| SHA512 | ad6e766eb8125918dfd4e9ab8cd51de1120c084f0f9571132a3007c01397e953f0fdd0dbc9f246b32fc7fc406941794ef1c8dabd613d28c2f6419f21738fa3df |
C:\Windows\ScriptTemp.ini
| MD5 | cd4114ba9b46f325b5f33e0fd8604db3 |
| SHA1 | b79fc0c7d26297eded8a435e5154e396eca89a7e |
| SHA256 | 06be2fd73544c3dc448d2260f702c24e1689fe56a5c722e1a76d38e4ea859966 |
| SHA512 | 0721c05d907969442c44281e084ed52674f019853cd7a73123cff77660213cb79c037146fcd56fd3234dc9cb48519d99766d579a35d61ba58b3a552a75f7b44a |
C:\Windows\_tempheukms052411364641\pic\Close.png
| MD5 | e71b36478c663f85777cd8c8cadef39a |
| SHA1 | c622a31feb72dd8fd3a500892d5defa491950036 |
| SHA256 | 64cda4f38899f8c9f51740e88f0459f6843b1d1a2b60400a42779af70fd7cdd6 |
| SHA512 | c868b1faa8d560cf76cf82ca2fe48188fdb2998423c09ef2a08bdae069a190adcd49bba89e542c1bf0c7276d8e5a95f22aa54c752fd7797f26eb7dee945a4827 |
C:\Windows\_tempheukms052411364641\pic\Min.png
| MD5 | 7a2ce401af45e36cbdd5d61043e48d92 |
| SHA1 | 84d65c79df30a8d05ae48c040066dfc72e76e02f |
| SHA256 | d316a0f310f74325f57416d89946aa09e6e7785bbfbba3fae9fcb3b0e5f8c741 |
| SHA512 | d29cc67cd8e40f3cd4ac28ad222805fda5af27dd9bb83c0cc2caf76942b783c57d68ea0827377eb48cbbc0b0f121741a465f87c3bb70ae7c94576e7d950078d2 |
C:\Windows\_tempheukms052411364641\pic\Setting.png
| MD5 | 547b1994623c0bf11e5cddd515fae9e4 |
| SHA1 | 94622ebf0ca77985ebde633fab653115d55085fb |
| SHA256 | 91c6eb4d8c09e9fd8ee2ca6f7d8580698e5fb24a6335b6315b0f88662376f706 |
| SHA512 | 262a0a8defaa2cf75d7077f3daf2aef71b82d3c036ca865b65286b3cc7a4d6d46fa8f7ad0eb602d8cf16ff67d646ca4f9c5a8e2202d56556025d9e053913c88e |
C:\Windows\_tempheukms052411364641\pic\skin.png
| MD5 | ca9775a98825ce6705418f15ee08eb6f |
| SHA1 | 00ec33d8677092e9cfbfd24660b62ff97b7a92cf |
| SHA256 | d9c6a796ca0edd6ccc838dbf55628973b999c63e19af7a09cff8f86ec1d080bc |
| SHA512 | 5e255cd1ec2a84da856e42f1a244dc7b7616c3035e8692650c1572f218d163954449f25af0705009ea00b2fb89d44af58903bf6f06b7e934f8c01f075f2bfa7b |
C:\Windows\_tempheukms052411364641\pic\Color.png
| MD5 | e526c2d1ef30b88f42194565f5d0b4d2 |
| SHA1 | d0d9fe934b97e7e1f7de3fb2ba985e8b92306f89 |
| SHA256 | 9743655c6c18ccfe763eb5a7b3b7b1b59d253d04252914457d9fc27e1906d255 |
| SHA512 | 5631f38662ded91dc930f5c33b2dd6a447c02068209b3c27beab8db35f5e437d3171d7d6caa346a903396179eb88429a6ced7b7b6d07dc240dd284c757ed7d35 |
C:\Windows\_tempheukms052411364641\pic\smart-1.bmp
| MD5 | 8022a6caed299ad3afc870cb6c0d28b6 |
| SHA1 | cba4fb19b204e324b730b0609c282f7ce20ba824 |
| SHA256 | 001f4adc1266e944c63bb0e823f387aa342694ba77aa7c001dd7de3800e19b88 |
| SHA512 | 95a1670a46e6e5a8d4ef76b6f5ce4a81c376d8f107ec406cc688c94cda4b62872064170a90afb536101713558fdb0750e2d629745da0d649842a232333e7a935 |
C:\Windows\_tempheukms052411364641\pic\smart-2.bmp
| MD5 | 0edef2c665f84021efa62f8edbbf9b97 |
| SHA1 | 817f131bdb9f661df00be5dd4db111aa6fc51c34 |
| SHA256 | f0d035596bade49f611a59fd0d0568f10030ed1ed52d8d524671be13d7d5f2f0 |
| SHA512 | 496049c4b20b8adcb9b4dcfabc8832332ed299a14e90fbb162993470ece28c74983371b35b39205c591971b3eaa693ed53c497775e28b723ff29f6b50069e6ae |
C:\Windows\_tempheukms052411364641\pic\1-1.bmp
| MD5 | e0833d8bcd690690ef879ce9ba3c11c6 |
| SHA1 | 135a54bbc8ee0985ed461cadb5f047595e200a56 |
| SHA256 | aa14bda30d6e8d2a7b16bb3fec8262baa3736986edefd054689f4efe530aa71f |
| SHA512 | efac0a3e3be8888a1600682e1a9eb87da741f8be26ba755341640e866d88b3241b5c00b25218ea67fd9030c0b03554b7ca2702d65cff45377b1a7a64a8d58452 |
C:\Windows\_tempheukms052411364641\pic\1-2.bmp
| MD5 | 3cb5c501213ab8c6cfe12fd92b529143 |
| SHA1 | 90acb219726556f2f4bcf831a56240c61dc518f8 |
| SHA256 | e1ed58b8341b07f1f1eb9dd379206d4b81acefc1f7a487b77c79c3ed2886e33b |
| SHA512 | 9b925efda06bbb358f7cdb9a29bda2c411a5260445cf7286755dfbfec54eb413e34759f89a329361fd20dbc39df576f35fe81bf5138070a3f3cb0525ac4681f6 |
C:\Windows\_tempheukms052411364641\pic\5-1.bmp
| MD5 | 6ea083bd67cd3a4433476ec617312af9 |
| SHA1 | 84ef840c98fc31bc93ad04cb0875dd1042168c64 |
| SHA256 | 57759d7ebb145fe8d3ca830f563ddad615a12ca569f0e0e44c2db471dabbe00e |
| SHA512 | 5f18cabc3b50a3d4f193423f211071a2e4d17a1325593892deb8282344745133e7b688bedcb4a015c0163a473c36b696728348303ee1c66d4debf59cdbbe9063 |
C:\Windows\_tempheukms052411364641\pic\5-2.bmp
| MD5 | 56c1052619ced459ac5869cdd5e85cd2 |
| SHA1 | 1db42703988b429f035b0b433461950e85ca7346 |
| SHA256 | d356d45501bffe21e0e9587022f5fc01f31db5a96715f72ec216a52a94453dcd |
| SHA512 | 161ec85d0d54d70f2126ca41a5be7308c18c8d05aaff6127fdee50e937749b2cf721423a8da858ab250e83a16cb7827e9583b8d56343ca0b5eb263acf5c3f2c3 |
C:\Windows\_tempheukms052411364641\pic\2-2.bmp
| MD5 | fa2a0513abd15f913c8cb2baca80085c |
| SHA1 | 80386b9a0efa1149334f9917578316f9dd943c84 |
| SHA256 | a02b832b8576ba7973e78aa70e482443110a5c681b4d9ce9a32c99cd2889582e |
| SHA512 | 77b602b31b9958af757b168f41718e52707869ae7b275bd0f37d58ebbbef1cdb9db8bec2b84642783ddebdf4da06a45d48c6f28c33118ab372efd7b727124e1e |
C:\Windows\_tempheukms052411364641\pic\2-3.bmp
| MD5 | f4dc67e990a6e81e5b27d5a883ea93c5 |
| SHA1 | 9e26590186bda1174c69ed2572074794d522e096 |
| SHA256 | 5a9b4aac61c2f7ac2e4e65030bd40d7323402c1a2b0cb65a92bab84224787e9f |
| SHA512 | d6ca29df6a4189aa751e122016f16f6ef46ffef56bf6e01017fdde5acd85fec6bc965c8809044dea13a59b3e652bf2da857211cb59a56b3cc7534e2e974b7749 |
C:\Windows\_tempheukms052411364641\pic\2-1.bmp
| MD5 | afb60ed1ff996a85f0e7cbff94248ae4 |
| SHA1 | c62f805d42e7d9a70af8d66d6e226351e9907962 |
| SHA256 | 546932dfd2f371720662d977bdf20a826d29f39354135b4f65ed06eac4fa7119 |
| SHA512 | c1ca4710ba01e96c4a28c3a23cae6073f1d59ca070c20ca3b25541525f75212cceb2327b8e99b4d321f5522535c86206ebe58e7a96d15749ca29f501c34fb22b |
C:\Windows\_tempheukms052411364641\pic\3-2.bmp
| MD5 | f58f7c0d4e9543501fc24c7c40d05749 |
| SHA1 | bab6cacc75236d306b3f7b7c5c7983694577fa20 |
| SHA256 | af281d2a72d60d2270d24bc75ad4ade7f2dc27eaeb207122f19cd9ee12d39df6 |
| SHA512 | ac7f2ab63a22a501e6ab3baf6f6995e01ec04df4db13c818bb445e9d5323bacd39b72bd9d3909ef175c4c5f4456914b7abc02e4a4a6353b5f5b1346e1a026515 |
C:\Windows\_tempheukms052411364641\pic\3-3.bmp
| MD5 | 6bced572118957cdbb06e3ea7edfb1b1 |
| SHA1 | c844b3a797052062a41c93344df10e7c0c000d49 |
| SHA256 | 1e33d33c3a829d7919e5bb6980a2677641d3cfbdb844347be8ba82f8445e07fa |
| SHA512 | e52c8074b8d239a5f756a13221b66d91e0428ec12d2a785bbb98935ccb7eb2ca9f53a5fbe54a87d5631b8cabbb67076caafd520b428231cf9bce0e3c7b23569f |
C:\Windows\_tempheukms052411364641\pic\3-1.bmp
| MD5 | eb844a94dba2c7db8b3d5d358826bfa1 |
| SHA1 | 89b84a0e2d4d2e59f0916cb7eff8178f0f109f46 |
| SHA256 | 42e6e8e78c5a13b195140952cda5bd6468d7e14ef0c2cf081839941fe6426ce8 |
| SHA512 | e75c572766afbc9225a23c33a0f08ffd10ac15cf9bcdfad0060f347894f3be76633600d863acf97ebc9f9c4ede6d58988c05b1f0f2856a9f2eaae5e25ff152e7 |
C:\Windows\_tempheukms052411364641\pic\4-1.bmp
| MD5 | 5ce46152706f7d7b5d48a088cd15a8a6 |
| SHA1 | f7fbce4fd7e646a6889b80d58f2b1292d6f9e680 |
| SHA256 | d7d93929f032db7a0b6b11f09e58ee3d2260c45f2861ffb95753a983d34ec337 |
| SHA512 | 392443e7959098c653ae9640c59734ab51784f6e0af142a280a44359c0238ab4d8c9fb255797f0f3e64612c133e18e12bd0b1341f661dd65e54c7bec05a4829f |
C:\Windows\_tempheukms052411364641\pic\4-2.bmp
| MD5 | 751e2e1ca20bfc4b662084638ecc15c1 |
| SHA1 | a010d6551bb2c40ccb7fff9a7782df06df7716aa |
| SHA256 | 3e6fdd20c78c83596568133f651c209c9f1ecd98e8698f209b27736343767314 |
| SHA512 | 7e09e7f70ead62b1265b5fdb972a1c7a2fe2a318e90ce4d630fb7b999498f2fc9909439177ff03eb7970106bc5fc7ea083a8498d0917ccb8a3d965cac74b0fd6 |
C:\Windows\_tempheukms052411364641\pic\6-1.bmp
| MD5 | d2dde87b25bf39f9f3a6d53ee490c44c |
| SHA1 | 5eec04addcb350fc436a67841dd159784f417279 |
| SHA256 | 2a15651060e3a526e84ce8ea31f08b879ff578f4e280cd9476cbabaee298d138 |
| SHA512 | 82f08e247582b81436504e71ce40efd7afe254aef8bbc0812bd545c8c908729909890d57641727febdf35163b832066537317eed8b1c1c2cced0cba7f6fa8b06 |
C:\Windows\_tempheukms052411364641\pic\6-2.bmp
| MD5 | 83feb1292d3c5ca59bf6ff471fc57442 |
| SHA1 | b9d793a81321ab9474c357408fa4fff11cceb79d |
| SHA256 | e81611c330c9e4d9547c79336335a3edfca4297add5ad55d221dc77c5bf94ab2 |
| SHA512 | 1aad3cb84db641d9500d09a530b358d7e41410f030984f50278bee89ca2dbdfb21a2c77482952e70f3f582f154912790b3c18376c97f3c7cec9bcce33c9b5f0c |
C:\Windows\_tempheukms052411364641\pic\7-1.bmp
| MD5 | de93e767f60320ca8bef2754f3ee0e6a |
| SHA1 | 5b20b939db7a62de09595b93234600c50b6587ea |
| SHA256 | 8984d81be5dcd0d7472c175e65a7f4c083340b4e32878e32693aeaae6228e492 |
| SHA512 | 8fd2de6e167ec500682cdaa5aaad0a10757103c55f900e7474bc502dfd03776bdf3807b46e87e8ef030b743ed998b0ca8384128da74f9f9e967fc8996a78640e |
C:\Windows\_tempheukms052411364641\pic\7-2.bmp
| MD5 | 23b3c0b4445d30081d5d2d7d1ea46509 |
| SHA1 | 2b2750baff4b0b501061b8bbba5c898b6164130b |
| SHA256 | b4d5349fd6313734ff0f79c1f559fcd82712aab463393cc7f595279065fdde26 |
| SHA512 | e400f12e5252c5490fac427a635d011f8c6226ce13552566a44afb842781edd214fe18dc698f6fa9089e3e095d9dd466e76278fa213240fc3301f79abc0c28ce |
C:\Windows\_tempheukms052411364641\pic\8-1.bmp
| MD5 | 17a27e0183f025009e0e9ee49d7de45d |
| SHA1 | 77da51103a60338e10c10fd13d74164e0b2f1849 |
| SHA256 | e1e763a89dcc1d346516a9123580c8e540b47062dbc4d666036fb0967bf08306 |
| SHA512 | 1b88c3bc2bc01f056ff16d3e10f22d6d435c3c70142e8dba90d59b2294c335da70d806e19b08b7a649b017c87515855cb2a4da362bea8a86cd7ea93a834e2b34 |
C:\Windows\_tempheukms052411364641\pic\8-2.bmp
| MD5 | adee5867f985b7e4c11a4433dd225b1d |
| SHA1 | 6c0b57835210c7a9909aae95796b0e1da6ed63f9 |
| SHA256 | 303f15369554d1e285b4a90581d45a86081d3700895b387263b5bdff46ceb687 |
| SHA512 | 1677144c620083b5894a285cc32cc5a552f792e489a7183b0793336d7dfd100aaeaef4295815cf966ab41998bcc9d5bb0a2e95e2f3053d7d8c39909ed4526b93 |
C:\Windows\_tempheukms052411364641\pic\9-1.bmp
| MD5 | 043d647ae29e9dd859ddba50d204c5ff |
| SHA1 | af1f095cb9a1fcc838a5ea5975601358967be197 |
| SHA256 | 0cc4107a5b9319de1b332ffae35b60476273b0bdb3679312087043eb77d7e95d |
| SHA512 | 5dfaf6b6d872f6257974910908ca8a2e9a254b87cbc1cbbbf7d9c7d1fd11471ee3be54f42da403fc7162b80522199c4f0472c10542ecddc0ae9f91ed1a525885 |
C:\Windows\_tempheukms052411364641\pic\9-2.bmp
| MD5 | 86c160c68d550b7a2acb6b46c0fdd25a |
| SHA1 | b2ec02ca7d571d2907ed114dd46253ead04bcd05 |
| SHA256 | f6bde4412f12c155a4ad36f1084bce76292d16597e32942e9818ce3fb75be8ac |
| SHA512 | a3c1301abdea7f7acd5cb1cb6cb61df900f3020d7dfddf6be382a57dea8e25abcf9fbbaff7422f23a0130213678748d73addd8c70803f9ec8a63051bd62e3c16 |
C:\Windows\_tempheukms052411364641\pic\10-1.bmp
| MD5 | 88aec5f3833949da9c9e1a75fb1f7be6 |
| SHA1 | a4db450392cd24a8d258cec86657d539d6170dc3 |
| SHA256 | d8989332a09e0f0d099ec3cc50bb95a9b9b4b2aeb2d735f0d1a4ffd8ed5f246a |
| SHA512 | 78422f2ed32dfbc80896062a10e5d58d8d8b4dff11db9714e036621c5ccd44c3551d3988f10a03ab80ccbbaa5a6a3d45cd68c307a3b87a6e5161aca8d3c2416c |
C:\Windows\_tempheukms052411364641\pic\10-2.bmp
| MD5 | 808072808e6ffff8ccd6f6878476e5a6 |
| SHA1 | 56871b1ec67c978fcbbc07fa7a8d63bcae947c6d |
| SHA256 | 0a5aca420d69bc4752fc52825a5cdf5017f15e55c05e1a014c3eb01dcff4c6e6 |
| SHA512 | e92960656339e0a8923941f15fe6537d64d0e1b43c89e4c01c99d8a01055bd50c247f52f7debdc60ced725406f8589d0387d7a3f48e381956b88b8331869b231 |
C:\Windows\_tempheukms052411364641\pic\11-1.bmp
| MD5 | 9dfc76f1fac5fe605e230474cb81b7b6 |
| SHA1 | bc1b282c5cf378869ef79a10111cae1736e53e50 |
| SHA256 | 0505c7edfb2bb0823c34242a45ac8e60e1867dbb6a102114041a97c0d643e033 |
| SHA512 | 69e8d06b584b2f496e329fe392bfa28961c707406a8e1a694a7fc72b3e9e078ff1c68fe5a914518278b26f05f6549337fcfc9c38c9a778f32d13e6f429f92be8 |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 8478bfdc561e59e75a97fd7a2b753770 |
| SHA1 | e71b0a5fb628a716b230fe59696e1818c87bbe3c |
| SHA256 | ee2a3d2dd5aebc72f07ee56be21e402c999bca2d143db3c1def8c23347f831fb |
| SHA512 | a9ebeea2deb6a12af58d518c29e3cc851617da667ad79ba26377f248ab6f19bcf22f2dfb9f63a6e001b43a75a5cbe08a093d67d143f8f220b87558995cad9e35 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 11:36
Reported
2024-05-24 11:39
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| N/A | N/A | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| N/A | N/A | C:\Windows\_tempheukms05241136488756\kms_x64.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\_tempheukms05241136488756\OEM\cert\NAVIHB.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\10-3.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\Down.png | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic0\uninst-en.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\OEMDumpNET35.exe | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\ScriptDir.ini | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\SetupComplete.data | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\2-3.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\9-1.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\x86\SppExtComObjHook.dll | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\EXC.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\cert\HCLINF.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\DATATE.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\digital.7z | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\MSGlogo.jpg | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\13-1.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\10-1.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\11-2.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\2-3.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\4-2.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\HIGRAD.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\CZC011.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\TOSHIB.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\YUTC.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic0\inst-en.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic0\inst.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\cert.7z | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\HPQOEM.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\Over.png | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic0\inst-tra.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OtherOfficeOSPP | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\x64\SetACL.exe | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\digital.7z | C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\gr1dr34 | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\10-2.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\2-2.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic0\head.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\cert\OEGROU.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\4-1.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic0\backup-en.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\21-1.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\Office2010OSPP\SLERROR.XML | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\JOOYON.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\cert\TOSCPL.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\FUJ.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\cert\TOSHIB.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\ONKYO.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\BACK3.jpg | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\LOGIN2.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\BACK3.jpg | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic0\shuoming.jpg | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\x64\SppExtComObjHookARM64.dll | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\16-2.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\gr1dr1 | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\9-2.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic0\inst.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\kms_x64.exe | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\cert\FOUNDR.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\OEM\cert\DSGLTD.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\10-3.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\pic\20-2.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File created | C:\Windows\_tempheukms05241136488756\pic\5-1.bmp | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| File opened for modification | C:\Windows\_tempheukms05241136488756\OEM\cert\CREAAS.xrm-ms | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts: | C:\Windows\_tempheukms05241136488756\kms_x64.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\_tempheukms05241136488756\kms_x64.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| Token: 35 | N/A | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\_tempheukms05241136488756\7Z.EXE | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
"C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe"
C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Temp=_tempheukms05241136488756 >>%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [UserAgreement] >>%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo UA=NO >>%windir%\ScriptTemp.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\_tempheukms05241136488756\7Z.EXE
C:\Windows\_tempheukms05241136488756\7Z.EXE x C:\Windows\_tempheukms05241136488756\KMSmini.7z -y -oC:\Windows\_tempheukms05241136488756
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo [Direction] >%windir%\_tempheukms05241136488756\ScriptDir.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Dir=C:\Users\Admin\AppData\Local\Temp >>%windir%\_tempheukms05241136488756\ScriptDir.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Name=HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe >>%windir%\_tempheukms05241136488756\ScriptDir.ini
C:\Windows\_tempheukms05241136488756\kms_x64.exe
C:\Windows\_tempheukms05241136488756\kms_x64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RVN.exe
| MD5 | 80ade1893dec9cab7f2e63538a464fcc |
| SHA1 | c06614da33a65eddb506db00a124a3fc3f5be02e |
| SHA256 | 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd |
| SHA512 | fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4 |
memory/1424-4-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1424-7-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1424-12-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1424-6-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1252-15-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1252-19-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
| MD5 | 39e90933e88c1571110d26e3d03a0273 |
| SHA1 | 00506e7ae8f1c84bc24ee7f4e053d9f2393626d6 |
| SHA256 | a54456ee78ec9b0b683e8a548b59824226f81b0b90dc628fd3d625d53696a374 |
| SHA512 | 348641ede4054a456e78be60f8abd3b4b21e8543e8c5764b9886e48f7d8914e49ad232ccdaa88c2924bd1ff872119e0acc925302f27a34922d520d1badb921d4 |
memory/3784-28-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3784-31-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1252-30-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3784-36-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\ScriptTemp.ini
| MD5 | 0c2d784bd54aca1dd4a4d706f3d19aad |
| SHA1 | e7dc8b81360f48d16c38f22d0d43344f91b49124 |
| SHA256 | 6e060247f4a0fe1dab28b6a9aa302ab4db1686594061db087ac8782ada8739df |
| SHA512 | 6943d17c7597cbb7207d88d5f3805673a39f3a4bdca4a428f628f1f0a1334a93af90f44c26f4e59b3d265e961487ff0fd2b8d09cdc6b6057e3004d56d34eca5b |
C:\Windows\ScriptTemp.ini
| MD5 | 43c92082c832e330a8ed7cfe6b991f3e |
| SHA1 | 92d063b660ce7f738ac66bd02eea5c374310c107 |
| SHA256 | 12d96013c0d56ec7a88ddbcdc3c85e97311c230078d04d1146e75d6614231d95 |
| SHA512 | ed141e2c973dc7b6e3ebdb8283d15759390d459962dec6877c496c5959516331b86caf30a3b62d2dea892280a550dd4cb350abd77a7b829e7a7c44b608f51fa2 |
memory/1252-18-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1252-17-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut6DED.tmp
| MD5 | a17762dc8329359b11ea9ca9eb0ffe27 |
| SHA1 | a7214744a61a1ef92a79d1148a81fb55abff64c0 |
| SHA256 | 2f7c8f3384995341436fa90c1a9e545613a57e1ab9e73d90d0774c819844e731 |
| SHA512 | 54d379fbf28d2d1d6710150a4285f1ba05e553e4b19708c3ae6fc866f3ee8dc5189aeacf5fe035f45716a68399f72a46d58e824cc7e10053a833dac01f9f1501 |
C:\Windows\_tempheukms05241136488756\digital.7z
| MD5 | caf71eb57c23ce0d6703414893aed947 |
| SHA1 | 25283ba2bc76b5af929e52a15de057198b843f6f |
| SHA256 | 7541ec02a4cbd62690d9aeb06d922a7382bcbfd7d17578a9b69cff3868b096da |
| SHA512 | df3866bf09bd97c70d1f2488462f7c739043f8816192e7b734a70fcb8a377465aaf17799392d7ac173b090374f52ff71f6b7bd7a18ef9295452098720b26b87c |
C:\Windows\_tempheukms05241136488756\cert.7z
| MD5 | 5ffd2c6dc5dc2dc07fe5cd45448061f1 |
| SHA1 | a08c603c23a0fab43cd3903042de8c2c3cd26322 |
| SHA256 | 7fd98aab6bac7b6264b2ef3ba7818c0521ef02793631f9d23e28929804bab325 |
| SHA512 | aec152ec9cce0917256a7d3fce49ae3cec43abd0dbffdde25a2eda52cd4bb6eee55f63a2169680a7b4b0e6c0792514f70bb1d0e397f627e87399b67ca4a0a61a |
C:\Windows\_tempheukms05241136488756\DigitalLicence.7z
| MD5 | 1843ab0c616447ada3a452f01bc0df8e |
| SHA1 | 1f40068bc1ad5469768752f7b25c07b2567871c4 |
| SHA256 | 67b0363a14716d81a7322f229b634ffa61161f80260d0e0c16af5a18bbae2b91 |
| SHA512 | 153d5eec9a73d63b12d0089cd25c70f5a2c740eeb138a73beb096049693a685c08c8d605e536449cd7b1e0341796f3f1a3cfbc4d9ba9681c3390cd7041b92425 |
C:\Windows\_tempheukms05241136488756\OffScrub.7z
| MD5 | 05c11f2664d4ed209b6a0ebf198f56bd |
| SHA1 | 0e5ea1e0b728d8b2d5011bd6e56829b8dfbc8e68 |
| SHA256 | efe232e3e38e19073f438408a892e259d5672e46ce1469c73a7aaf6ede58f7d1 |
| SHA512 | 81e2b5d96081ed19bff4da930240119e55e67990fa264f4f948870ebec8a3b13fad8c8284aafbd92dea35db72dbe06f10cb0dc2c5084cb51d2e07440c5f4fc6e |
C:\Windows\_tempheukms05241136488756\7Z.EXE
| MD5 | 43141e85e7c36e31b52b22ab94d5e574 |
| SHA1 | cfd7079a9b268d84b856dc668edbb9ab9ef35312 |
| SHA256 | ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d |
| SHA512 | 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc |
C:\Windows\_tempheukms05241136488756\ScriptDir.ini
| MD5 | 8ae2dae3a0651c88dc193f63deb0cdee |
| SHA1 | 4466469ed06e699dd8647263c4060fec752c5cc0 |
| SHA256 | b70662ce78f1b79d25502b40e95718f6f118ff4526f7e8153adf785e90e11f50 |
| SHA512 | 1440888a5703c818053a3e7de13410e65dde4500ccfba3e1161eca05244fe5f4a7309fc1e20fddfdedfb669fdb0ec3ca6577a5f42b4400c06b1205e6929f9058 |
C:\Windows\_tempheukms05241136488756\HEU_Configuration.ini
| MD5 | b74971f1fe581cf08e8f69124f5f2bcd |
| SHA1 | dc56ff99d0204bd44928a925054f52d1c38c68f1 |
| SHA256 | b7dea91768212bc915345f82b9165f3bdef0f4333ea6738ac800758296fb5b00 |
| SHA512 | dd66bf6d9a03eb10027ae739ab2a97a481fca8778a4a5546275a2e266fd022b1e02b91d3e2d37d86b6c4bb7d895575b0b4cfa6d7c8289ff635246585fbde366c |
C:\Windows\_tempheukms05241136488756\HEU_KMS_Renewal.xml
| MD5 | a381b30e51ac126f51f421e082de0ea7 |
| SHA1 | 5f847e828bd7b5dd0d02f4c505fcb084c69b068c |
| SHA256 | 84de47c26a7379ef5c31ad5452372e7477bfb739e2684d31c0db22cbed56d401 |
| SHA512 | 89cacee08884390f06f79e4e41481eb90363099aa7da960ee3cef8cfcef03623105fe0be7ad2c88077b42ebc5efb21e5d713607850f48a191708298f34323180 |
C:\Windows\_tempheukms05241136488756\HEU_Set.ini
| MD5 | 5251be66b4b2d836e6ecf183a3ae83e6 |
| SHA1 | e0f941232d0c3ba8906ca12b9de31d9b95495503 |
| SHA256 | eaed66f92ebdcc94dcf567a7e20ecff799751ded4cf563dc633c5bc13cfe3dc7 |
| SHA512 | bc996a2ff9bb8d2c9caefcff37449bb757a9b1c70bdf5473ac4fe45f6ba6d00c8d3efbc9d40b6421e12a28314515e3186625f73c2f017e3ca51bf1fc433b3a20 |
C:\Windows\_tempheukms05241136488756\kms-client.exe
| MD5 | a83db3ac36bf6c660518ea41f6db700c |
| SHA1 | 2b98346e8737e50b63e14da9989aba8b61e99ce6 |
| SHA256 | 47f5b3bbb071fda3f0540e1658a9d08d6526bfe2525288a1ba0c6d093a16bbf2 |
| SHA512 | e88b81c70059881fbb518719366a73e47db753b409391cf710c89c2e7f19e396d012a1a98ffb4fc9d78dc8ba96051234ce6255c1a6fb8548f0b66b1b0e8987d2 |
C:\Windows\_tempheukms05241136488756\kms-server.exe
| MD5 | fb8202b9093d817326b3102ef4157964 |
| SHA1 | ee874efe4712035329c0a8e04a67556a8b8ac56f |
| SHA256 | e9b964b13f6363997fb27078e2a21ee7f73cdaa0100aa29db45e63c5aa3220ce |
| SHA512 | bb0dd7da730a5229e332802f320d7ca9d220612cd22d8463578d492d4fb4a8ebf9d67587ad28d1147a17e91ce85af32ab7bf46583713590a09c61d7a3eb0cb0a |
C:\Windows\_tempheukms05241136488756\kms.exe
| MD5 | 6b0f259387d98c8cbcbc9e4ba727106b |
| SHA1 | de746304596ad5530de973ee15626adada3793e0 |
| SHA256 | 0361a5d5a46071b36100a801fbf8e7c63f023e8e56d80271a0382e3d1affae18 |
| SHA512 | 3ee15aedf02538dc5bf4f6132e12657a01f356e3ec73b6176b6693077db221c7e395e6da05b606b5dcd6e31428c15472d363d4b39cd3bf7126b4c7f4ff82ff6b |
C:\Windows\_tempheukms05241136488756\kms_x64.exe
| MD5 | a64024c4871874c641abe4e601e22385 |
| SHA1 | d3a4e04450654202c8f13c33360ddebb0041f521 |
| SHA256 | c207cd6fc79c9ff1444a2c92b456f504c87aaf5dd9733271c8b0a00781188a70 |
| SHA512 | 389363f57ba1dae6538717cfc253674c37be0e01fe6be1762c38aa75c4979bdcb450929eb14d6701b5df1109f6b60809a10a92123c3781a97f74fbccba004d16 |
C:\Windows\_tempheukms05241136488756\wim.xml
| MD5 | 9d2a8d70c850ce12bd258a5b22cdea52 |
| SHA1 | f9ab84a64d00d9ea65c69a3ac25ae1536c54c934 |
| SHA256 | 1b96471c5bf67a6c440a05357a29e7b20d04ed2fcd2f83f924a93e29a1dba239 |
| SHA512 | cef8f1c341756eef28e38085c3bb460ba14af0f8141b63c49f8ff0c453455973513d2ff571951f085f36e4057e60e938f5e327fc94b3946eb82f4a8e76bf787c |
C:\Windows\_tempheukms05241136488756\SvcTrigger.xml
| MD5 | ade0007995da8218a924eae18dd5ffa4 |
| SHA1 | de4480d869df4e45e666e3ba74c87786d2ba01e9 |
| SHA256 | 6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352 |
| SHA512 | 25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95 |
C:\Windows\_tempheukms05241136488756\SetupComplete.data
| MD5 | 13e06d184fff389461413b492bdee1f8 |
| SHA1 | 3977c70724a67be800f9b6cdce67fe78fec9adc6 |
| SHA256 | c7a8b216ba576b07cad119be0c82be0180d8e55bb254102ff3efd46b4b7c8036 |
| SHA512 | ad6e766eb8125918dfd4e9ab8cd51de1120c084f0f9571132a3007c01397e953f0fdd0dbc9f246b32fc7fc406941794ef1c8dabd613d28c2f6419f21738fa3df |
C:\Windows\_tempheukms05241136488756\ScriptDir.ini
| MD5 | 3737328a8daaddfc95d274a856d9acd0 |
| SHA1 | b3260417cced54f7b21485cac815dc059fd3aaf5 |
| SHA256 | d59f5d6fb01d0b1b1f21123769c6637e5f88369ed6909ca42e5cba018404d887 |
| SHA512 | 872336fe49b7a2585464bc769d0c2fcf307304493fffe75128c218b4283871f40299cb500350d770fef27174198f1e1e70705bbf7e1a2ab48f4bed293d98f80e |
C:\Windows\_tempheukms05241136488756\ProduKey.exe
| MD5 | 21e92db033b3c12ae0f158d24c37df4f |
| SHA1 | db1d1d24cdef74f69ea3937aad912e81e7303e34 |
| SHA256 | 6bab04858fa717c2c6f17d6267435a6500aa63e34486c5a7e6ee243c4d0a63fa |
| SHA512 | 981b1418045a4cabcebcdecdaa08475290193ed4b261bb0ca15a966f15f672e314468df22234321865c20eb89051c10916bd074a764abca5888f503fc49327d6 |
C:\Windows\ScriptTemp.ini
| MD5 | 08b74276e10ec8c574f47ec25344a484 |
| SHA1 | 7f4e51acde95f16ee097aa21343ab19aa6d89129 |
| SHA256 | 28ecbcbea684aec42685970a3e9ecfd599556c3df539d61f66d1122a92782328 |
| SHA512 | d91d6903e833ea279468f1c5d56f07375f43069d345889aa8341c2ca943799dbd27d358164274bc147c25db1deb9b95986e35a6aa0e99a4afca7b1f449288ffd |
C:\Windows\_tempheukms05241136488756\pic\Close.png
| MD5 | e71b36478c663f85777cd8c8cadef39a |
| SHA1 | c622a31feb72dd8fd3a500892d5defa491950036 |
| SHA256 | 64cda4f38899f8c9f51740e88f0459f6843b1d1a2b60400a42779af70fd7cdd6 |
| SHA512 | c868b1faa8d560cf76cf82ca2fe48188fdb2998423c09ef2a08bdae069a190adcd49bba89e542c1bf0c7276d8e5a95f22aa54c752fd7797f26eb7dee945a4827 |
C:\Windows\_tempheukms05241136488756\pic\Min.png
| MD5 | 7a2ce401af45e36cbdd5d61043e48d92 |
| SHA1 | 84d65c79df30a8d05ae48c040066dfc72e76e02f |
| SHA256 | d316a0f310f74325f57416d89946aa09e6e7785bbfbba3fae9fcb3b0e5f8c741 |
| SHA512 | d29cc67cd8e40f3cd4ac28ad222805fda5af27dd9bb83c0cc2caf76942b783c57d68ea0827377eb48cbbc0b0f121741a465f87c3bb70ae7c94576e7d950078d2 |
C:\Windows\_tempheukms05241136488756\pic\Setting.png
| MD5 | 547b1994623c0bf11e5cddd515fae9e4 |
| SHA1 | 94622ebf0ca77985ebde633fab653115d55085fb |
| SHA256 | 91c6eb4d8c09e9fd8ee2ca6f7d8580698e5fb24a6335b6315b0f88662376f706 |
| SHA512 | 262a0a8defaa2cf75d7077f3daf2aef71b82d3c036ca865b65286b3cc7a4d6d46fa8f7ad0eb602d8cf16ff67d646ca4f9c5a8e2202d56556025d9e053913c88e |
C:\Windows\_tempheukms05241136488756\pic\skin.png
| MD5 | ca9775a98825ce6705418f15ee08eb6f |
| SHA1 | 00ec33d8677092e9cfbfd24660b62ff97b7a92cf |
| SHA256 | d9c6a796ca0edd6ccc838dbf55628973b999c63e19af7a09cff8f86ec1d080bc |
| SHA512 | 5e255cd1ec2a84da856e42f1a244dc7b7616c3035e8692650c1572f218d163954449f25af0705009ea00b2fb89d44af58903bf6f06b7e934f8c01f075f2bfa7b |
C:\Windows\_tempheukms05241136488756\pic\Color.png
| MD5 | e526c2d1ef30b88f42194565f5d0b4d2 |
| SHA1 | d0d9fe934b97e7e1f7de3fb2ba985e8b92306f89 |
| SHA256 | 9743655c6c18ccfe763eb5a7b3b7b1b59d253d04252914457d9fc27e1906d255 |
| SHA512 | 5631f38662ded91dc930f5c33b2dd6a447c02068209b3c27beab8db35f5e437d3171d7d6caa346a903396179eb88429a6ced7b7b6d07dc240dd284c757ed7d35 |
C:\Windows\_tempheukms05241136488756\pic\smart-1.bmp
| MD5 | 8022a6caed299ad3afc870cb6c0d28b6 |
| SHA1 | cba4fb19b204e324b730b0609c282f7ce20ba824 |
| SHA256 | 001f4adc1266e944c63bb0e823f387aa342694ba77aa7c001dd7de3800e19b88 |
| SHA512 | 95a1670a46e6e5a8d4ef76b6f5ce4a81c376d8f107ec406cc688c94cda4b62872064170a90afb536101713558fdb0750e2d629745da0d649842a232333e7a935 |
C:\Windows\_tempheukms05241136488756\pic\smart-2.bmp
| MD5 | 0edef2c665f84021efa62f8edbbf9b97 |
| SHA1 | 817f131bdb9f661df00be5dd4db111aa6fc51c34 |
| SHA256 | f0d035596bade49f611a59fd0d0568f10030ed1ed52d8d524671be13d7d5f2f0 |
| SHA512 | 496049c4b20b8adcb9b4dcfabc8832332ed299a14e90fbb162993470ece28c74983371b35b39205c591971b3eaa693ed53c497775e28b723ff29f6b50069e6ae |
C:\Windows\_tempheukms05241136488756\pic\1-1.bmp
| MD5 | e0833d8bcd690690ef879ce9ba3c11c6 |
| SHA1 | 135a54bbc8ee0985ed461cadb5f047595e200a56 |
| SHA256 | aa14bda30d6e8d2a7b16bb3fec8262baa3736986edefd054689f4efe530aa71f |
| SHA512 | efac0a3e3be8888a1600682e1a9eb87da741f8be26ba755341640e866d88b3241b5c00b25218ea67fd9030c0b03554b7ca2702d65cff45377b1a7a64a8d58452 |
C:\Windows\_tempheukms05241136488756\pic\1-2.bmp
| MD5 | 3cb5c501213ab8c6cfe12fd92b529143 |
| SHA1 | 90acb219726556f2f4bcf831a56240c61dc518f8 |
| SHA256 | e1ed58b8341b07f1f1eb9dd379206d4b81acefc1f7a487b77c79c3ed2886e33b |
| SHA512 | 9b925efda06bbb358f7cdb9a29bda2c411a5260445cf7286755dfbfec54eb413e34759f89a329361fd20dbc39df576f35fe81bf5138070a3f3cb0525ac4681f6 |
C:\Windows\_tempheukms05241136488756\pic\5-1.bmp
| MD5 | 6ea083bd67cd3a4433476ec617312af9 |
| SHA1 | 84ef840c98fc31bc93ad04cb0875dd1042168c64 |
| SHA256 | 57759d7ebb145fe8d3ca830f563ddad615a12ca569f0e0e44c2db471dabbe00e |
| SHA512 | 5f18cabc3b50a3d4f193423f211071a2e4d17a1325593892deb8282344745133e7b688bedcb4a015c0163a473c36b696728348303ee1c66d4debf59cdbbe9063 |
C:\Windows\_tempheukms05241136488756\pic\5-2.bmp
| MD5 | 56c1052619ced459ac5869cdd5e85cd2 |
| SHA1 | 1db42703988b429f035b0b433461950e85ca7346 |
| SHA256 | d356d45501bffe21e0e9587022f5fc01f31db5a96715f72ec216a52a94453dcd |
| SHA512 | 161ec85d0d54d70f2126ca41a5be7308c18c8d05aaff6127fdee50e937749b2cf721423a8da858ab250e83a16cb7827e9583b8d56343ca0b5eb263acf5c3f2c3 |
C:\Windows\_tempheukms05241136488756\pic\2-2.bmp
| MD5 | fa2a0513abd15f913c8cb2baca80085c |
| SHA1 | 80386b9a0efa1149334f9917578316f9dd943c84 |
| SHA256 | a02b832b8576ba7973e78aa70e482443110a5c681b4d9ce9a32c99cd2889582e |
| SHA512 | 77b602b31b9958af757b168f41718e52707869ae7b275bd0f37d58ebbbef1cdb9db8bec2b84642783ddebdf4da06a45d48c6f28c33118ab372efd7b727124e1e |
C:\Windows\_tempheukms05241136488756\pic\2-3.bmp
| MD5 | f4dc67e990a6e81e5b27d5a883ea93c5 |
| SHA1 | 9e26590186bda1174c69ed2572074794d522e096 |
| SHA256 | 5a9b4aac61c2f7ac2e4e65030bd40d7323402c1a2b0cb65a92bab84224787e9f |
| SHA512 | d6ca29df6a4189aa751e122016f16f6ef46ffef56bf6e01017fdde5acd85fec6bc965c8809044dea13a59b3e652bf2da857211cb59a56b3cc7534e2e974b7749 |
C:\Windows\_tempheukms05241136488756\pic\2-1.bmp
| MD5 | afb60ed1ff996a85f0e7cbff94248ae4 |
| SHA1 | c62f805d42e7d9a70af8d66d6e226351e9907962 |
| SHA256 | 546932dfd2f371720662d977bdf20a826d29f39354135b4f65ed06eac4fa7119 |
| SHA512 | c1ca4710ba01e96c4a28c3a23cae6073f1d59ca070c20ca3b25541525f75212cceb2327b8e99b4d321f5522535c86206ebe58e7a96d15749ca29f501c34fb22b |
C:\Windows\_tempheukms05241136488756\pic\3-2.bmp
| MD5 | f58f7c0d4e9543501fc24c7c40d05749 |
| SHA1 | bab6cacc75236d306b3f7b7c5c7983694577fa20 |
| SHA256 | af281d2a72d60d2270d24bc75ad4ade7f2dc27eaeb207122f19cd9ee12d39df6 |
| SHA512 | ac7f2ab63a22a501e6ab3baf6f6995e01ec04df4db13c818bb445e9d5323bacd39b72bd9d3909ef175c4c5f4456914b7abc02e4a4a6353b5f5b1346e1a026515 |
C:\Windows\_tempheukms05241136488756\pic\3-3.bmp
| MD5 | 6bced572118957cdbb06e3ea7edfb1b1 |
| SHA1 | c844b3a797052062a41c93344df10e7c0c000d49 |
| SHA256 | 1e33d33c3a829d7919e5bb6980a2677641d3cfbdb844347be8ba82f8445e07fa |
| SHA512 | e52c8074b8d239a5f756a13221b66d91e0428ec12d2a785bbb98935ccb7eb2ca9f53a5fbe54a87d5631b8cabbb67076caafd520b428231cf9bce0e3c7b23569f |
C:\Windows\_tempheukms05241136488756\pic\3-1.bmp
| MD5 | eb844a94dba2c7db8b3d5d358826bfa1 |
| SHA1 | 89b84a0e2d4d2e59f0916cb7eff8178f0f109f46 |
| SHA256 | 42e6e8e78c5a13b195140952cda5bd6468d7e14ef0c2cf081839941fe6426ce8 |
| SHA512 | e75c572766afbc9225a23c33a0f08ffd10ac15cf9bcdfad0060f347894f3be76633600d863acf97ebc9f9c4ede6d58988c05b1f0f2856a9f2eaae5e25ff152e7 |
C:\Windows\_tempheukms05241136488756\pic\4-1.bmp
| MD5 | 5ce46152706f7d7b5d48a088cd15a8a6 |
| SHA1 | f7fbce4fd7e646a6889b80d58f2b1292d6f9e680 |
| SHA256 | d7d93929f032db7a0b6b11f09e58ee3d2260c45f2861ffb95753a983d34ec337 |
| SHA512 | 392443e7959098c653ae9640c59734ab51784f6e0af142a280a44359c0238ab4d8c9fb255797f0f3e64612c133e18e12bd0b1341f661dd65e54c7bec05a4829f |
C:\Windows\_tempheukms05241136488756\pic\4-2.bmp
| MD5 | 751e2e1ca20bfc4b662084638ecc15c1 |
| SHA1 | a010d6551bb2c40ccb7fff9a7782df06df7716aa |
| SHA256 | 3e6fdd20c78c83596568133f651c209c9f1ecd98e8698f209b27736343767314 |
| SHA512 | 7e09e7f70ead62b1265b5fdb972a1c7a2fe2a318e90ce4d630fb7b999498f2fc9909439177ff03eb7970106bc5fc7ea083a8498d0917ccb8a3d965cac74b0fd6 |
C:\Windows\_tempheukms05241136488756\pic\6-1.bmp
| MD5 | d2dde87b25bf39f9f3a6d53ee490c44c |
| SHA1 | 5eec04addcb350fc436a67841dd159784f417279 |
| SHA256 | 2a15651060e3a526e84ce8ea31f08b879ff578f4e280cd9476cbabaee298d138 |
| SHA512 | 82f08e247582b81436504e71ce40efd7afe254aef8bbc0812bd545c8c908729909890d57641727febdf35163b832066537317eed8b1c1c2cced0cba7f6fa8b06 |
C:\Windows\_tempheukms05241136488756\pic\6-2.bmp
| MD5 | 83feb1292d3c5ca59bf6ff471fc57442 |
| SHA1 | b9d793a81321ab9474c357408fa4fff11cceb79d |
| SHA256 | e81611c330c9e4d9547c79336335a3edfca4297add5ad55d221dc77c5bf94ab2 |
| SHA512 | 1aad3cb84db641d9500d09a530b358d7e41410f030984f50278bee89ca2dbdfb21a2c77482952e70f3f582f154912790b3c18376c97f3c7cec9bcce33c9b5f0c |
C:\Windows\_tempheukms05241136488756\pic\7-1.bmp
| MD5 | de93e767f60320ca8bef2754f3ee0e6a |
| SHA1 | 5b20b939db7a62de09595b93234600c50b6587ea |
| SHA256 | 8984d81be5dcd0d7472c175e65a7f4c083340b4e32878e32693aeaae6228e492 |
| SHA512 | 8fd2de6e167ec500682cdaa5aaad0a10757103c55f900e7474bc502dfd03776bdf3807b46e87e8ef030b743ed998b0ca8384128da74f9f9e967fc8996a78640e |
C:\Windows\_tempheukms05241136488756\pic\7-2.bmp
| MD5 | 23b3c0b4445d30081d5d2d7d1ea46509 |
| SHA1 | 2b2750baff4b0b501061b8bbba5c898b6164130b |
| SHA256 | b4d5349fd6313734ff0f79c1f559fcd82712aab463393cc7f595279065fdde26 |
| SHA512 | e400f12e5252c5490fac427a635d011f8c6226ce13552566a44afb842781edd214fe18dc698f6fa9089e3e095d9dd466e76278fa213240fc3301f79abc0c28ce |
C:\Windows\_tempheukms05241136488756\pic\8-1.bmp
| MD5 | 17a27e0183f025009e0e9ee49d7de45d |
| SHA1 | 77da51103a60338e10c10fd13d74164e0b2f1849 |
| SHA256 | e1e763a89dcc1d346516a9123580c8e540b47062dbc4d666036fb0967bf08306 |
| SHA512 | 1b88c3bc2bc01f056ff16d3e10f22d6d435c3c70142e8dba90d59b2294c335da70d806e19b08b7a649b017c87515855cb2a4da362bea8a86cd7ea93a834e2b34 |
C:\Windows\_tempheukms05241136488756\pic\8-2.bmp
| MD5 | adee5867f985b7e4c11a4433dd225b1d |
| SHA1 | 6c0b57835210c7a9909aae95796b0e1da6ed63f9 |
| SHA256 | 303f15369554d1e285b4a90581d45a86081d3700895b387263b5bdff46ceb687 |
| SHA512 | 1677144c620083b5894a285cc32cc5a552f792e489a7183b0793336d7dfd100aaeaef4295815cf966ab41998bcc9d5bb0a2e95e2f3053d7d8c39909ed4526b93 |
C:\Windows\_tempheukms05241136488756\pic\9-1.bmp
| MD5 | 043d647ae29e9dd859ddba50d204c5ff |
| SHA1 | af1f095cb9a1fcc838a5ea5975601358967be197 |
| SHA256 | 0cc4107a5b9319de1b332ffae35b60476273b0bdb3679312087043eb77d7e95d |
| SHA512 | 5dfaf6b6d872f6257974910908ca8a2e9a254b87cbc1cbbbf7d9c7d1fd11471ee3be54f42da403fc7162b80522199c4f0472c10542ecddc0ae9f91ed1a525885 |
C:\Windows\_tempheukms05241136488756\pic\9-2.bmp
| MD5 | 86c160c68d550b7a2acb6b46c0fdd25a |
| SHA1 | b2ec02ca7d571d2907ed114dd46253ead04bcd05 |
| SHA256 | f6bde4412f12c155a4ad36f1084bce76292d16597e32942e9818ce3fb75be8ac |
| SHA512 | a3c1301abdea7f7acd5cb1cb6cb61df900f3020d7dfddf6be382a57dea8e25abcf9fbbaff7422f23a0130213678748d73addd8c70803f9ec8a63051bd62e3c16 |
C:\Windows\_tempheukms05241136488756\pic\10-1.bmp
| MD5 | 88aec5f3833949da9c9e1a75fb1f7be6 |
| SHA1 | a4db450392cd24a8d258cec86657d539d6170dc3 |
| SHA256 | d8989332a09e0f0d099ec3cc50bb95a9b9b4b2aeb2d735f0d1a4ffd8ed5f246a |
| SHA512 | 78422f2ed32dfbc80896062a10e5d58d8d8b4dff11db9714e036621c5ccd44c3551d3988f10a03ab80ccbbaa5a6a3d45cd68c307a3b87a6e5161aca8d3c2416c |
C:\Windows\_tempheukms05241136488756\pic\10-2.bmp
| MD5 | 808072808e6ffff8ccd6f6878476e5a6 |
| SHA1 | 56871b1ec67c978fcbbc07fa7a8d63bcae947c6d |
| SHA256 | 0a5aca420d69bc4752fc52825a5cdf5017f15e55c05e1a014c3eb01dcff4c6e6 |
| SHA512 | e92960656339e0a8923941f15fe6537d64d0e1b43c89e4c01c99d8a01055bd50c247f52f7debdc60ced725406f8589d0387d7a3f48e381956b88b8331869b231 |
C:\Windows\_tempheukms05241136488756\pic\11-1.bmp
| MD5 | 9dfc76f1fac5fe605e230474cb81b7b6 |
| SHA1 | bc1b282c5cf378869ef79a10111cae1736e53e50 |
| SHA256 | 0505c7edfb2bb0823c34242a45ac8e60e1867dbb6a102114041a97c0d643e033 |
| SHA512 | 69e8d06b584b2f496e329fe392bfa28961c707406a8e1a694a7fc72b3e9e078ff1c68fe5a914518278b26f05f6549337fcfc9c38c9a778f32d13e6f429f92be8 |
C:\Windows\_tempheukms05241136488756\pic\11-2.bmp
| MD5 | a317949559be707aa631a95adeb810af |
| SHA1 | d778104b63e4ccd96d34b3739d23137457f1499e |
| SHA256 | 5de82be4f8d7b6b949ddf2fa8e9240dde10f61fa405d12c48b7f3948e8ee68fb |
| SHA512 | caf218d76dee6f44845d4280957cb8b85401f1e884795fe91300d92f11096c74604d3a46b79d7119d77f124e63606d794adbe90a66f52f614f7a65715302428e |
C:\Windows\_tempheukms05241136488756\pic\12-1.bmp
| MD5 | 68bcbaa656e0bab9290d91a2d33827b7 |
| SHA1 | 5c8f9d106b5fdce45d1156370e095e60d63dddb3 |
| SHA256 | 33adbe2110ec619b21b30fb9463fea603a26a29c8a285ca8ffb7e2ac8c3ca019 |
| SHA512 | 5c7a75cdbdeb6314b68bb342aa4847543c9c5204e6c810d35e3cb6ad470689ee5745f941c594425f7c1516208e33d8b53ccfaea0e4e9661d8084dc91d740c68e |
C:\Windows\_tempheukms05241136488756\pic\12-2.bmp
| MD5 | a833b05a3ff4fef229bf73285bc6efb8 |
| SHA1 | f0095103468e14f2faa0b8f88301dcb4a125534a |
| SHA256 | 1fbe4d4310ae3755db6fe4a8c29960387554109f78419610e4f173fdc609ccd3 |
| SHA512 | 7acb5411b7e67c962e7b0bd4c49a7f851a78290c76689ddf572c91dc4896b243aa7fe2f71efeb595193e933c3972eefbcb71e810bf4b2dfcada0dc24e2867291 |
C:\Windows\_tempheukms05241136488756\pic\19-1.bmp
| MD5 | addd7eaef8a73b1178c103661e17feff |
| SHA1 | e62d9fc0e837c1f365385488e11df2677547f0a6 |
| SHA256 | 0dc79af8aba2990023f45a6afae6e081e0dbd65b09b3790ad9ad91053b985ad1 |
| SHA512 | 17639a0a6c0a779c67c23bc4f708f4fc98c03888219f9e7f6bb60ee166e16246a10b31e61fdd119d7d9fa32a6d9d8b2fb9d34786a93412cbdd7db467c133da63 |
C:\Windows\_tempheukms05241136488756\pic\10-3.bmp
| MD5 | 14069ab8547a7aeb723b2786c2487587 |
| SHA1 | 0a2b3f915496a5a75ef693adfbc8fd07c9cd8850 |
| SHA256 | db79399797d374cca31c7dbc4b8e16b03f5d0e75b9c903dd6b4cf18726a51098 |
| SHA512 | 3ce4bf7992146de13a110298b066b0f27c5c1c583450a074c347d6df6ca867b0a7779b61bb4466cf7d78776c458dbf51a631da449a3886a08d801b870baeea13 |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 8478bfdc561e59e75a97fd7a2b753770 |
| SHA1 | e71b0a5fb628a716b230fe59696e1818c87bbe3c |
| SHA256 | ee2a3d2dd5aebc72f07ee56be21e402c999bca2d143db3c1def8c23347f831fb |
| SHA512 | a9ebeea2deb6a12af58d518c29e3cc851617da667ad79ba26377f248ab6f19bcf22f2dfb9f63a6e001b43a75a5cbe08a093d67d143f8f220b87558995cad9e35 |