Malware Analysis Report

2025-01-02 15:25

Sample ID 240524-nqx8yafd64
Target c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a
SHA256 c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a

Threat Level: Known bad

The file c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Gh0strat

Detect PurpleFox Rootkit

Gh0st RAT payload

PurpleFox

Nirsoft

Sets service image path in registry

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

UPX packed file

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 11:36

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 11:36

Reported

2024-05-24 11:39

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\_tempheukms052411364641\pic\4-1.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\Close.png C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\TAB2.png C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\x64\cleanospp.exe C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\JOOYON.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\11-1.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\YUTC.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\logo.png C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\Min.png C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\uefi.exe C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\SONY.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\VESTEL.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\x86\cleanospp.exe C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\THOA21.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\2-1.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\15-2.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\2-2.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\FSC.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\SONY.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\OEMDumpNET35.exe C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\wim.xml C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\OLIPRO.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\_ASUS_.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\HASEE.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\QBEXCO.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\smart-1.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\7Z.EXE C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\ACRSYS.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\12-2.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\3-1.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\BACK1.jpg C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic0\backup-en.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic0\ver.ico C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\FOUNDR.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\K.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\FUJ.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\13-2.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\TAB4.png C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OffScrub.7z C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File opened for modification C:\Windows\_tempheukms052411364641\OffScrub.7z C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\POSITI.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\gr1dr1 C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic0\uninst-tra.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\kms.exe C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\x86 C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\HPQOEM.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\FUJ.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic0\left.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\IBM.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\LOGIN2.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\MITAC.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\emulateslic C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\12-2.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\CREAAS.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\OEM\cert\HYRSLP.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\20-2.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\bootsect.exe C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\TAROX1.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\Office2010OSPP\OSPP.VBS C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\pic\17-2.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\3-3.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms052411364641\cert.7z C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File opened for modification C:\Windows\_tempheukms052411364641\OEM\cert\HIGRAD.xrm-ms C:\Windows\_tempheukms052411364641\7Z.EXE N/A
File created C:\Windows\_tempheukms052411364641\pic\2-3.bmp C:\Windows\_tempheukms052411364641\7Z.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts: C:\Windows\_tempheukms052411364641\kms_x64.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\_tempheukms052411364641\kms_x64.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\_tempheukms052411364641\7Z.EXE N/A
Token: 35 N/A C:\Windows\_tempheukms052411364641\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_tempheukms052411364641\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_tempheukms052411364641\7Z.EXE N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2548 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 2548 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 2548 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 2548 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 3044 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1508 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2684 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2684 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2684 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1508 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms052411364641\7Z.EXE
PID 1508 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms052411364641\7Z.EXE
PID 1508 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms052411364641\7Z.EXE
PID 1508 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms052411364641\7Z.EXE
PID 1508 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms052411364641\kms_x64.exe
PID 1508 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms052411364641\kms_x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

"C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo Temp=_tempheukms052411364641 >>%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo [UserAgreement] >>%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo UA=NO >>%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)

C:\Windows\_tempheukms052411364641\7Z.EXE

C:\Windows\_tempheukms052411364641\7Z.EXE x C:\Windows\_tempheukms052411364641\KMSmini.7z -y -oC:\Windows\_tempheukms052411364641

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo [Direction] >%windir%\_tempheukms052411364641\ScriptDir.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Dir=C:\Users\Admin\AppData\Local\Temp >>%windir%\_tempheukms052411364641\ScriptDir.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Name=HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe >>%windir%\_tempheukms052411364641\ScriptDir.ini

C:\Windows\_tempheukms052411364641\kms_x64.exe

C:\Windows\_tempheukms052411364641\kms_x64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 www.baidu.com udp

Files

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/3044-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3044-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3044-11-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3044-10-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

MD5 39e90933e88c1571110d26e3d03a0273
SHA1 00506e7ae8f1c84bc24ee7f4e053d9f2393626d6
SHA256 a54456ee78ec9b0b683e8a548b59824226f81b0b90dc628fd3d625d53696a374
SHA512 348641ede4054a456e78be60f8abd3b4b21e8543e8c5764b9886e48f7d8914e49ad232ccdaa88c2924bd1ff872119e0acc925302f27a34922d520d1badb921d4

C:\Windows\ScriptTemp.ini

MD5 d20855712f120699977dada8e3aabca5
SHA1 1fd5517494e80a924060306abcf93e1be8b7b70a
SHA256 98fd2e85f3625450edc68c2cfc577b2eae600c79c74fdbcd3a16d4164c497fe0
SHA512 96851d08c71b2ea6469c8e142bc87984c10dde50c99ec4fecfb7011431b3dbcb1d59463df9ed246289f17ecf869d9e2d0910b1dcd10a6232af2c7f9adf6ab463

memory/2600-36-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2600-40-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\ScriptTemp.ini

MD5 65e36e9ee66d40b2b23059966f6ee34c
SHA1 79c4a7e07acc8e73d77ae41bf6f69cb5ae64946e
SHA256 f93d96d024aa245300eb875b3e762ffa3c97afb9b5359670d2bd057721ca703b
SHA512 d04d877031dce4238fe57f3130c6d949c7bd46bb8f4a113870aff922527c03e3d7f0d1fb7e7482eb5a9e2a3365149fd2033c6e6a8cb9c1963fe84caf08129519

C:\Windows\ScriptTemp.ini

MD5 7d940576007a02746dca47241623fd94
SHA1 eee21f67083400f2d318ccb28ed293d8ce815660
SHA256 f308daa8d533ac25c2fafbd2cb9ab7562e4da25f17f2b9cc217e3fffbb8109b0
SHA512 a1a38c9eb45980f2c422917f75bef29bcc4408793b45437b29326d9c613091b49b9f264c3063022c699f4860d3b9f71992e4f7a2fd5f96e510002037c6f83aae

memory/2600-46-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\_tempheukms052411364641\KMSmini.7z

MD5 a17762dc8329359b11ea9ca9eb0ffe27
SHA1 a7214744a61a1ef92a79d1148a81fb55abff64c0
SHA256 2f7c8f3384995341436fa90c1a9e545613a57e1ab9e73d90d0774c819844e731
SHA512 54d379fbf28d2d1d6710150a4285f1ba05e553e4b19708c3ae6fc866f3ee8dc5189aeacf5fe035f45716a68399f72a46d58e824cc7e10053a833dac01f9f1501

\Windows\_tempheukms052411364641\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Windows\_tempheukms052411364641\ScriptDir.ini

MD5 8ae2dae3a0651c88dc193f63deb0cdee
SHA1 4466469ed06e699dd8647263c4060fec752c5cc0
SHA256 b70662ce78f1b79d25502b40e95718f6f118ff4526f7e8153adf785e90e11f50
SHA512 1440888a5703c818053a3e7de13410e65dde4500ccfba3e1161eca05244fe5f4a7309fc1e20fddfdedfb669fdb0ec3ca6577a5f42b4400c06b1205e6929f9058

C:\Windows\_tempheukms052411364641\ScriptDir.ini

MD5 3737328a8daaddfc95d274a856d9acd0
SHA1 b3260417cced54f7b21485cac815dc059fd3aaf5
SHA256 d59f5d6fb01d0b1b1f21123769c6637e5f88369ed6909ca42e5cba018404d887
SHA512 872336fe49b7a2585464bc769d0c2fcf307304493fffe75128c218b4283871f40299cb500350d770fef27174198f1e1e70705bbf7e1a2ab48f4bed293d98f80e

C:\Windows\_tempheukms052411364641\cert.7z

MD5 5ffd2c6dc5dc2dc07fe5cd45448061f1
SHA1 a08c603c23a0fab43cd3903042de8c2c3cd26322
SHA256 7fd98aab6bac7b6264b2ef3ba7818c0521ef02793631f9d23e28929804bab325
SHA512 aec152ec9cce0917256a7d3fce49ae3cec43abd0dbffdde25a2eda52cd4bb6eee55f63a2169680a7b4b0e6c0792514f70bb1d0e397f627e87399b67ca4a0a61a

C:\Windows\_tempheukms052411364641\digital.7z

MD5 caf71eb57c23ce0d6703414893aed947
SHA1 25283ba2bc76b5af929e52a15de057198b843f6f
SHA256 7541ec02a4cbd62690d9aeb06d922a7382bcbfd7d17578a9b69cff3868b096da
SHA512 df3866bf09bd97c70d1f2488462f7c739043f8816192e7b734a70fcb8a377465aaf17799392d7ac173b090374f52ff71f6b7bd7a18ef9295452098720b26b87c

C:\Windows\_tempheukms052411364641\HEU_Configuration.ini

MD5 b74971f1fe581cf08e8f69124f5f2bcd
SHA1 dc56ff99d0204bd44928a925054f52d1c38c68f1
SHA256 b7dea91768212bc915345f82b9165f3bdef0f4333ea6738ac800758296fb5b00
SHA512 dd66bf6d9a03eb10027ae739ab2a97a481fca8778a4a5546275a2e266fd022b1e02b91d3e2d37d86b6c4bb7d895575b0b4cfa6d7c8289ff635246585fbde366c

C:\Windows\_tempheukms052411364641\DigitalLicence.7z

MD5 1843ab0c616447ada3a452f01bc0df8e
SHA1 1f40068bc1ad5469768752f7b25c07b2567871c4
SHA256 67b0363a14716d81a7322f229b634ffa61161f80260d0e0c16af5a18bbae2b91
SHA512 153d5eec9a73d63b12d0089cd25c70f5a2c740eeb138a73beb096049693a685c08c8d605e536449cd7b1e0341796f3f1a3cfbc4d9ba9681c3390cd7041b92425

C:\Windows\_tempheukms052411364641\HEU_KMS_Renewal.xml

MD5 a381b30e51ac126f51f421e082de0ea7
SHA1 5f847e828bd7b5dd0d02f4c505fcb084c69b068c
SHA256 84de47c26a7379ef5c31ad5452372e7477bfb739e2684d31c0db22cbed56d401
SHA512 89cacee08884390f06f79e4e41481eb90363099aa7da960ee3cef8cfcef03623105fe0be7ad2c88077b42ebc5efb21e5d713607850f48a191708298f34323180

C:\Windows\_tempheukms052411364641\kms-client.exe

MD5 a83db3ac36bf6c660518ea41f6db700c
SHA1 2b98346e8737e50b63e14da9989aba8b61e99ce6
SHA256 47f5b3bbb071fda3f0540e1658a9d08d6526bfe2525288a1ba0c6d093a16bbf2
SHA512 e88b81c70059881fbb518719366a73e47db753b409391cf710c89c2e7f19e396d012a1a98ffb4fc9d78dc8ba96051234ce6255c1a6fb8548f0b66b1b0e8987d2

C:\Windows\_tempheukms052411364641\HEU_Set.ini

MD5 5251be66b4b2d836e6ecf183a3ae83e6
SHA1 e0f941232d0c3ba8906ca12b9de31d9b95495503
SHA256 eaed66f92ebdcc94dcf567a7e20ecff799751ded4cf563dc633c5bc13cfe3dc7
SHA512 bc996a2ff9bb8d2c9caefcff37449bb757a9b1c70bdf5473ac4fe45f6ba6d00c8d3efbc9d40b6421e12a28314515e3186625f73c2f017e3ca51bf1fc433b3a20

C:\Windows\_tempheukms052411364641\kms-server.exe

MD5 fb8202b9093d817326b3102ef4157964
SHA1 ee874efe4712035329c0a8e04a67556a8b8ac56f
SHA256 e9b964b13f6363997fb27078e2a21ee7f73cdaa0100aa29db45e63c5aa3220ce
SHA512 bb0dd7da730a5229e332802f320d7ca9d220612cd22d8463578d492d4fb4a8ebf9d67587ad28d1147a17e91ce85af32ab7bf46583713590a09c61d7a3eb0cb0a

C:\Windows\_tempheukms052411364641\kms.exe

MD5 6b0f259387d98c8cbcbc9e4ba727106b
SHA1 de746304596ad5530de973ee15626adada3793e0
SHA256 0361a5d5a46071b36100a801fbf8e7c63f023e8e56d80271a0382e3d1affae18
SHA512 3ee15aedf02538dc5bf4f6132e12657a01f356e3ec73b6176b6693077db221c7e395e6da05b606b5dcd6e31428c15472d363d4b39cd3bf7126b4c7f4ff82ff6b

C:\Windows\_tempheukms052411364641\kms_x64.exe

MD5 a64024c4871874c641abe4e601e22385
SHA1 d3a4e04450654202c8f13c33360ddebb0041f521
SHA256 c207cd6fc79c9ff1444a2c92b456f504c87aaf5dd9733271c8b0a00781188a70
SHA512 389363f57ba1dae6538717cfc253674c37be0e01fe6be1762c38aa75c4979bdcb450929eb14d6701b5df1109f6b60809a10a92123c3781a97f74fbccba004d16

C:\Windows\_tempheukms052411364641\OffScrub.7z

MD5 05c11f2664d4ed209b6a0ebf198f56bd
SHA1 0e5ea1e0b728d8b2d5011bd6e56829b8dfbc8e68
SHA256 efe232e3e38e19073f438408a892e259d5672e46ce1469c73a7aaf6ede58f7d1
SHA512 81e2b5d96081ed19bff4da930240119e55e67990fa264f4f948870ebec8a3b13fad8c8284aafbd92dea35db72dbe06f10cb0dc2c5084cb51d2e07440c5f4fc6e

C:\Windows\_tempheukms052411364641\ProduKey.exe

MD5 21e92db033b3c12ae0f158d24c37df4f
SHA1 db1d1d24cdef74f69ea3937aad912e81e7303e34
SHA256 6bab04858fa717c2c6f17d6267435a6500aa63e34486c5a7e6ee243c4d0a63fa
SHA512 981b1418045a4cabcebcdecdaa08475290193ed4b261bb0ca15a966f15f672e314468df22234321865c20eb89051c10916bd074a764abca5888f503fc49327d6

C:\Windows\_tempheukms052411364641\wim.xml

MD5 9d2a8d70c850ce12bd258a5b22cdea52
SHA1 f9ab84a64d00d9ea65c69a3ac25ae1536c54c934
SHA256 1b96471c5bf67a6c440a05357a29e7b20d04ed2fcd2f83f924a93e29a1dba239
SHA512 cef8f1c341756eef28e38085c3bb460ba14af0f8141b63c49f8ff0c453455973513d2ff571951f085f36e4057e60e938f5e327fc94b3946eb82f4a8e76bf787c

C:\Windows\_tempheukms052411364641\SvcTrigger.xml

MD5 ade0007995da8218a924eae18dd5ffa4
SHA1 de4480d869df4e45e666e3ba74c87786d2ba01e9
SHA256 6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352
SHA512 25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95

C:\Windows\_tempheukms052411364641\SetupComplete.data

MD5 13e06d184fff389461413b492bdee1f8
SHA1 3977c70724a67be800f9b6cdce67fe78fec9adc6
SHA256 c7a8b216ba576b07cad119be0c82be0180d8e55bb254102ff3efd46b4b7c8036
SHA512 ad6e766eb8125918dfd4e9ab8cd51de1120c084f0f9571132a3007c01397e953f0fdd0dbc9f246b32fc7fc406941794ef1c8dabd613d28c2f6419f21738fa3df

C:\Windows\ScriptTemp.ini

MD5 cd4114ba9b46f325b5f33e0fd8604db3
SHA1 b79fc0c7d26297eded8a435e5154e396eca89a7e
SHA256 06be2fd73544c3dc448d2260f702c24e1689fe56a5c722e1a76d38e4ea859966
SHA512 0721c05d907969442c44281e084ed52674f019853cd7a73123cff77660213cb79c037146fcd56fd3234dc9cb48519d99766d579a35d61ba58b3a552a75f7b44a

C:\Windows\_tempheukms052411364641\pic\Close.png

MD5 e71b36478c663f85777cd8c8cadef39a
SHA1 c622a31feb72dd8fd3a500892d5defa491950036
SHA256 64cda4f38899f8c9f51740e88f0459f6843b1d1a2b60400a42779af70fd7cdd6
SHA512 c868b1faa8d560cf76cf82ca2fe48188fdb2998423c09ef2a08bdae069a190adcd49bba89e542c1bf0c7276d8e5a95f22aa54c752fd7797f26eb7dee945a4827

C:\Windows\_tempheukms052411364641\pic\Min.png

MD5 7a2ce401af45e36cbdd5d61043e48d92
SHA1 84d65c79df30a8d05ae48c040066dfc72e76e02f
SHA256 d316a0f310f74325f57416d89946aa09e6e7785bbfbba3fae9fcb3b0e5f8c741
SHA512 d29cc67cd8e40f3cd4ac28ad222805fda5af27dd9bb83c0cc2caf76942b783c57d68ea0827377eb48cbbc0b0f121741a465f87c3bb70ae7c94576e7d950078d2

C:\Windows\_tempheukms052411364641\pic\Setting.png

MD5 547b1994623c0bf11e5cddd515fae9e4
SHA1 94622ebf0ca77985ebde633fab653115d55085fb
SHA256 91c6eb4d8c09e9fd8ee2ca6f7d8580698e5fb24a6335b6315b0f88662376f706
SHA512 262a0a8defaa2cf75d7077f3daf2aef71b82d3c036ca865b65286b3cc7a4d6d46fa8f7ad0eb602d8cf16ff67d646ca4f9c5a8e2202d56556025d9e053913c88e

C:\Windows\_tempheukms052411364641\pic\skin.png

MD5 ca9775a98825ce6705418f15ee08eb6f
SHA1 00ec33d8677092e9cfbfd24660b62ff97b7a92cf
SHA256 d9c6a796ca0edd6ccc838dbf55628973b999c63e19af7a09cff8f86ec1d080bc
SHA512 5e255cd1ec2a84da856e42f1a244dc7b7616c3035e8692650c1572f218d163954449f25af0705009ea00b2fb89d44af58903bf6f06b7e934f8c01f075f2bfa7b

C:\Windows\_tempheukms052411364641\pic\Color.png

MD5 e526c2d1ef30b88f42194565f5d0b4d2
SHA1 d0d9fe934b97e7e1f7de3fb2ba985e8b92306f89
SHA256 9743655c6c18ccfe763eb5a7b3b7b1b59d253d04252914457d9fc27e1906d255
SHA512 5631f38662ded91dc930f5c33b2dd6a447c02068209b3c27beab8db35f5e437d3171d7d6caa346a903396179eb88429a6ced7b7b6d07dc240dd284c757ed7d35

C:\Windows\_tempheukms052411364641\pic\smart-1.bmp

MD5 8022a6caed299ad3afc870cb6c0d28b6
SHA1 cba4fb19b204e324b730b0609c282f7ce20ba824
SHA256 001f4adc1266e944c63bb0e823f387aa342694ba77aa7c001dd7de3800e19b88
SHA512 95a1670a46e6e5a8d4ef76b6f5ce4a81c376d8f107ec406cc688c94cda4b62872064170a90afb536101713558fdb0750e2d629745da0d649842a232333e7a935

C:\Windows\_tempheukms052411364641\pic\smart-2.bmp

MD5 0edef2c665f84021efa62f8edbbf9b97
SHA1 817f131bdb9f661df00be5dd4db111aa6fc51c34
SHA256 f0d035596bade49f611a59fd0d0568f10030ed1ed52d8d524671be13d7d5f2f0
SHA512 496049c4b20b8adcb9b4dcfabc8832332ed299a14e90fbb162993470ece28c74983371b35b39205c591971b3eaa693ed53c497775e28b723ff29f6b50069e6ae

C:\Windows\_tempheukms052411364641\pic\1-1.bmp

MD5 e0833d8bcd690690ef879ce9ba3c11c6
SHA1 135a54bbc8ee0985ed461cadb5f047595e200a56
SHA256 aa14bda30d6e8d2a7b16bb3fec8262baa3736986edefd054689f4efe530aa71f
SHA512 efac0a3e3be8888a1600682e1a9eb87da741f8be26ba755341640e866d88b3241b5c00b25218ea67fd9030c0b03554b7ca2702d65cff45377b1a7a64a8d58452

C:\Windows\_tempheukms052411364641\pic\1-2.bmp

MD5 3cb5c501213ab8c6cfe12fd92b529143
SHA1 90acb219726556f2f4bcf831a56240c61dc518f8
SHA256 e1ed58b8341b07f1f1eb9dd379206d4b81acefc1f7a487b77c79c3ed2886e33b
SHA512 9b925efda06bbb358f7cdb9a29bda2c411a5260445cf7286755dfbfec54eb413e34759f89a329361fd20dbc39df576f35fe81bf5138070a3f3cb0525ac4681f6

C:\Windows\_tempheukms052411364641\pic\5-1.bmp

MD5 6ea083bd67cd3a4433476ec617312af9
SHA1 84ef840c98fc31bc93ad04cb0875dd1042168c64
SHA256 57759d7ebb145fe8d3ca830f563ddad615a12ca569f0e0e44c2db471dabbe00e
SHA512 5f18cabc3b50a3d4f193423f211071a2e4d17a1325593892deb8282344745133e7b688bedcb4a015c0163a473c36b696728348303ee1c66d4debf59cdbbe9063

C:\Windows\_tempheukms052411364641\pic\5-2.bmp

MD5 56c1052619ced459ac5869cdd5e85cd2
SHA1 1db42703988b429f035b0b433461950e85ca7346
SHA256 d356d45501bffe21e0e9587022f5fc01f31db5a96715f72ec216a52a94453dcd
SHA512 161ec85d0d54d70f2126ca41a5be7308c18c8d05aaff6127fdee50e937749b2cf721423a8da858ab250e83a16cb7827e9583b8d56343ca0b5eb263acf5c3f2c3

C:\Windows\_tempheukms052411364641\pic\2-2.bmp

MD5 fa2a0513abd15f913c8cb2baca80085c
SHA1 80386b9a0efa1149334f9917578316f9dd943c84
SHA256 a02b832b8576ba7973e78aa70e482443110a5c681b4d9ce9a32c99cd2889582e
SHA512 77b602b31b9958af757b168f41718e52707869ae7b275bd0f37d58ebbbef1cdb9db8bec2b84642783ddebdf4da06a45d48c6f28c33118ab372efd7b727124e1e

C:\Windows\_tempheukms052411364641\pic\2-3.bmp

MD5 f4dc67e990a6e81e5b27d5a883ea93c5
SHA1 9e26590186bda1174c69ed2572074794d522e096
SHA256 5a9b4aac61c2f7ac2e4e65030bd40d7323402c1a2b0cb65a92bab84224787e9f
SHA512 d6ca29df6a4189aa751e122016f16f6ef46ffef56bf6e01017fdde5acd85fec6bc965c8809044dea13a59b3e652bf2da857211cb59a56b3cc7534e2e974b7749

C:\Windows\_tempheukms052411364641\pic\2-1.bmp

MD5 afb60ed1ff996a85f0e7cbff94248ae4
SHA1 c62f805d42e7d9a70af8d66d6e226351e9907962
SHA256 546932dfd2f371720662d977bdf20a826d29f39354135b4f65ed06eac4fa7119
SHA512 c1ca4710ba01e96c4a28c3a23cae6073f1d59ca070c20ca3b25541525f75212cceb2327b8e99b4d321f5522535c86206ebe58e7a96d15749ca29f501c34fb22b

C:\Windows\_tempheukms052411364641\pic\3-2.bmp

MD5 f58f7c0d4e9543501fc24c7c40d05749
SHA1 bab6cacc75236d306b3f7b7c5c7983694577fa20
SHA256 af281d2a72d60d2270d24bc75ad4ade7f2dc27eaeb207122f19cd9ee12d39df6
SHA512 ac7f2ab63a22a501e6ab3baf6f6995e01ec04df4db13c818bb445e9d5323bacd39b72bd9d3909ef175c4c5f4456914b7abc02e4a4a6353b5f5b1346e1a026515

C:\Windows\_tempheukms052411364641\pic\3-3.bmp

MD5 6bced572118957cdbb06e3ea7edfb1b1
SHA1 c844b3a797052062a41c93344df10e7c0c000d49
SHA256 1e33d33c3a829d7919e5bb6980a2677641d3cfbdb844347be8ba82f8445e07fa
SHA512 e52c8074b8d239a5f756a13221b66d91e0428ec12d2a785bbb98935ccb7eb2ca9f53a5fbe54a87d5631b8cabbb67076caafd520b428231cf9bce0e3c7b23569f

C:\Windows\_tempheukms052411364641\pic\3-1.bmp

MD5 eb844a94dba2c7db8b3d5d358826bfa1
SHA1 89b84a0e2d4d2e59f0916cb7eff8178f0f109f46
SHA256 42e6e8e78c5a13b195140952cda5bd6468d7e14ef0c2cf081839941fe6426ce8
SHA512 e75c572766afbc9225a23c33a0f08ffd10ac15cf9bcdfad0060f347894f3be76633600d863acf97ebc9f9c4ede6d58988c05b1f0f2856a9f2eaae5e25ff152e7

C:\Windows\_tempheukms052411364641\pic\4-1.bmp

MD5 5ce46152706f7d7b5d48a088cd15a8a6
SHA1 f7fbce4fd7e646a6889b80d58f2b1292d6f9e680
SHA256 d7d93929f032db7a0b6b11f09e58ee3d2260c45f2861ffb95753a983d34ec337
SHA512 392443e7959098c653ae9640c59734ab51784f6e0af142a280a44359c0238ab4d8c9fb255797f0f3e64612c133e18e12bd0b1341f661dd65e54c7bec05a4829f

C:\Windows\_tempheukms052411364641\pic\4-2.bmp

MD5 751e2e1ca20bfc4b662084638ecc15c1
SHA1 a010d6551bb2c40ccb7fff9a7782df06df7716aa
SHA256 3e6fdd20c78c83596568133f651c209c9f1ecd98e8698f209b27736343767314
SHA512 7e09e7f70ead62b1265b5fdb972a1c7a2fe2a318e90ce4d630fb7b999498f2fc9909439177ff03eb7970106bc5fc7ea083a8498d0917ccb8a3d965cac74b0fd6

C:\Windows\_tempheukms052411364641\pic\6-1.bmp

MD5 d2dde87b25bf39f9f3a6d53ee490c44c
SHA1 5eec04addcb350fc436a67841dd159784f417279
SHA256 2a15651060e3a526e84ce8ea31f08b879ff578f4e280cd9476cbabaee298d138
SHA512 82f08e247582b81436504e71ce40efd7afe254aef8bbc0812bd545c8c908729909890d57641727febdf35163b832066537317eed8b1c1c2cced0cba7f6fa8b06

C:\Windows\_tempheukms052411364641\pic\6-2.bmp

MD5 83feb1292d3c5ca59bf6ff471fc57442
SHA1 b9d793a81321ab9474c357408fa4fff11cceb79d
SHA256 e81611c330c9e4d9547c79336335a3edfca4297add5ad55d221dc77c5bf94ab2
SHA512 1aad3cb84db641d9500d09a530b358d7e41410f030984f50278bee89ca2dbdfb21a2c77482952e70f3f582f154912790b3c18376c97f3c7cec9bcce33c9b5f0c

C:\Windows\_tempheukms052411364641\pic\7-1.bmp

MD5 de93e767f60320ca8bef2754f3ee0e6a
SHA1 5b20b939db7a62de09595b93234600c50b6587ea
SHA256 8984d81be5dcd0d7472c175e65a7f4c083340b4e32878e32693aeaae6228e492
SHA512 8fd2de6e167ec500682cdaa5aaad0a10757103c55f900e7474bc502dfd03776bdf3807b46e87e8ef030b743ed998b0ca8384128da74f9f9e967fc8996a78640e

C:\Windows\_tempheukms052411364641\pic\7-2.bmp

MD5 23b3c0b4445d30081d5d2d7d1ea46509
SHA1 2b2750baff4b0b501061b8bbba5c898b6164130b
SHA256 b4d5349fd6313734ff0f79c1f559fcd82712aab463393cc7f595279065fdde26
SHA512 e400f12e5252c5490fac427a635d011f8c6226ce13552566a44afb842781edd214fe18dc698f6fa9089e3e095d9dd466e76278fa213240fc3301f79abc0c28ce

C:\Windows\_tempheukms052411364641\pic\8-1.bmp

MD5 17a27e0183f025009e0e9ee49d7de45d
SHA1 77da51103a60338e10c10fd13d74164e0b2f1849
SHA256 e1e763a89dcc1d346516a9123580c8e540b47062dbc4d666036fb0967bf08306
SHA512 1b88c3bc2bc01f056ff16d3e10f22d6d435c3c70142e8dba90d59b2294c335da70d806e19b08b7a649b017c87515855cb2a4da362bea8a86cd7ea93a834e2b34

C:\Windows\_tempheukms052411364641\pic\8-2.bmp

MD5 adee5867f985b7e4c11a4433dd225b1d
SHA1 6c0b57835210c7a9909aae95796b0e1da6ed63f9
SHA256 303f15369554d1e285b4a90581d45a86081d3700895b387263b5bdff46ceb687
SHA512 1677144c620083b5894a285cc32cc5a552f792e489a7183b0793336d7dfd100aaeaef4295815cf966ab41998bcc9d5bb0a2e95e2f3053d7d8c39909ed4526b93

C:\Windows\_tempheukms052411364641\pic\9-1.bmp

MD5 043d647ae29e9dd859ddba50d204c5ff
SHA1 af1f095cb9a1fcc838a5ea5975601358967be197
SHA256 0cc4107a5b9319de1b332ffae35b60476273b0bdb3679312087043eb77d7e95d
SHA512 5dfaf6b6d872f6257974910908ca8a2e9a254b87cbc1cbbbf7d9c7d1fd11471ee3be54f42da403fc7162b80522199c4f0472c10542ecddc0ae9f91ed1a525885

C:\Windows\_tempheukms052411364641\pic\9-2.bmp

MD5 86c160c68d550b7a2acb6b46c0fdd25a
SHA1 b2ec02ca7d571d2907ed114dd46253ead04bcd05
SHA256 f6bde4412f12c155a4ad36f1084bce76292d16597e32942e9818ce3fb75be8ac
SHA512 a3c1301abdea7f7acd5cb1cb6cb61df900f3020d7dfddf6be382a57dea8e25abcf9fbbaff7422f23a0130213678748d73addd8c70803f9ec8a63051bd62e3c16

C:\Windows\_tempheukms052411364641\pic\10-1.bmp

MD5 88aec5f3833949da9c9e1a75fb1f7be6
SHA1 a4db450392cd24a8d258cec86657d539d6170dc3
SHA256 d8989332a09e0f0d099ec3cc50bb95a9b9b4b2aeb2d735f0d1a4ffd8ed5f246a
SHA512 78422f2ed32dfbc80896062a10e5d58d8d8b4dff11db9714e036621c5ccd44c3551d3988f10a03ab80ccbbaa5a6a3d45cd68c307a3b87a6e5161aca8d3c2416c

C:\Windows\_tempheukms052411364641\pic\10-2.bmp

MD5 808072808e6ffff8ccd6f6878476e5a6
SHA1 56871b1ec67c978fcbbc07fa7a8d63bcae947c6d
SHA256 0a5aca420d69bc4752fc52825a5cdf5017f15e55c05e1a014c3eb01dcff4c6e6
SHA512 e92960656339e0a8923941f15fe6537d64d0e1b43c89e4c01c99d8a01055bd50c247f52f7debdc60ced725406f8589d0387d7a3f48e381956b88b8331869b231

C:\Windows\_tempheukms052411364641\pic\11-1.bmp

MD5 9dfc76f1fac5fe605e230474cb81b7b6
SHA1 bc1b282c5cf378869ef79a10111cae1736e53e50
SHA256 0505c7edfb2bb0823c34242a45ac8e60e1867dbb6a102114041a97c0d643e033
SHA512 69e8d06b584b2f496e329fe392bfa28961c707406a8e1a694a7fc72b3e9e078ff1c68fe5a914518278b26f05f6549337fcfc9c38c9a778f32d13e6f429f92be8

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 8478bfdc561e59e75a97fd7a2b753770
SHA1 e71b0a5fb628a716b230fe59696e1818c87bbe3c
SHA256 ee2a3d2dd5aebc72f07ee56be21e402c999bca2d143db3c1def8c23347f831fb
SHA512 a9ebeea2deb6a12af58d518c29e3cc851617da667ad79ba26377f248ab6f19bcf22f2dfb9f63a6e001b43a75a5cbe08a093d67d143f8f220b87558995cad9e35

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 11:36

Reported

2024-05-24 11:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\_tempheukms05241136488756\OEM\cert\NAVIHB.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\10-3.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\Down.png C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic0\uninst-en.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\OEMDumpNET35.exe C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\ScriptDir.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\_tempheukms05241136488756\SetupComplete.data C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\2-3.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\9-1.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\x86\SppExtComObjHook.dll C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\EXC.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\cert\HCLINF.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\DATATE.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\digital.7z C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\MSGlogo.jpg C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\13-1.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\10-1.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\11-2.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\2-3.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\4-2.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\HIGRAD.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\CZC011.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\TOSHIB.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\YUTC.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic0\inst-en.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic0\inst.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\cert.7z C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\HPQOEM.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\Over.png C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic0\inst-tra.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OtherOfficeOSPP C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\x64\SetACL.exe C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\digital.7z C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A
File created C:\Windows\_tempheukms05241136488756\OEM\gr1dr34 C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\10-2.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\2-2.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic0\head.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\cert\OEGROU.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\4-1.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic0\backup-en.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\21-1.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\Office2010OSPP\SLERROR.XML C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\JOOYON.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\cert\TOSCPL.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\FUJ.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\cert\TOSHIB.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\ONKYO.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\BACK3.jpg C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\LOGIN2.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\BACK3.jpg C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic0\shuoming.jpg C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\x64\SppExtComObjHookARM64.dll C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\16-2.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\gr1dr1 C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\9-2.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic0\inst.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\kms_x64.exe C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\cert\FOUNDR.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\OEM\cert\DSGLTD.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\10-3.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\pic\20-2.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File created C:\Windows\_tempheukms05241136488756\pic\5-1.bmp C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
File opened for modification C:\Windows\_tempheukms05241136488756\OEM\cert\CREAAS.xrm-ms C:\Windows\_tempheukms05241136488756\7Z.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts: C:\Windows\_tempheukms05241136488756\kms_x64.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\_tempheukms05241136488756\kms_x64.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
Token: 35 N/A C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_tempheukms05241136488756\7Z.EXE N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3432 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3432 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1252 wrote to memory of 3784 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1252 wrote to memory of 3784 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1252 wrote to memory of 3784 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1424 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 3432 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 3432 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe
PID 1184 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3652 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3652 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1184 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms05241136488756\7Z.EXE
PID 1184 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms05241136488756\7Z.EXE
PID 1184 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms05241136488756\7Z.EXE
PID 1184 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms05241136488756\kms_x64.exe
PID 1184 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe C:\Windows\_tempheukms05241136488756\kms_x64.exe
PID 3852 wrote to memory of 2936 N/A C:\Windows\_tempheukms05241136488756\kms_x64.exe C:\Windows\system32\cmd.exe
PID 3852 wrote to memory of 2936 N/A C:\Windows\_tempheukms05241136488756\kms_x64.exe C:\Windows\system32\cmd.exe
PID 3852 wrote to memory of 1240 N/A C:\Windows\_tempheukms05241136488756\kms_x64.exe C:\Windows\system32\cmd.exe
PID 3852 wrote to memory of 1240 N/A C:\Windows\_tempheukms05241136488756\kms_x64.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

"C:\Users\Admin\AppData\Local\Temp\c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo Temp=_tempheukms05241136488756 >>%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo [UserAgreement] >>%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo UA=NO >>%windir%\ScriptTemp.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\_tempheukms05241136488756\7Z.EXE

C:\Windows\_tempheukms05241136488756\7Z.EXE x C:\Windows\_tempheukms05241136488756\KMSmini.7z -y -oC:\Windows\_tempheukms05241136488756

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo [Direction] >%windir%\_tempheukms05241136488756\ScriptDir.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Dir=C:\Users\Admin\AppData\Local\Temp >>%windir%\_tempheukms05241136488756\ScriptDir.ini

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Name=HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe >>%windir%\_tempheukms05241136488756\ScriptDir.ini

C:\Windows\_tempheukms05241136488756\kms_x64.exe

C:\Windows\_tempheukms05241136488756\kms_x64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/1424-4-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1424-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1424-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1424-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1252-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1252-19-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_c129a8d43df9f4827a99ef1aacb8accd2794af4a04af835982f9743ff908df8a.exe

MD5 39e90933e88c1571110d26e3d03a0273
SHA1 00506e7ae8f1c84bc24ee7f4e053d9f2393626d6
SHA256 a54456ee78ec9b0b683e8a548b59824226f81b0b90dc628fd3d625d53696a374
SHA512 348641ede4054a456e78be60f8abd3b4b21e8543e8c5764b9886e48f7d8914e49ad232ccdaa88c2924bd1ff872119e0acc925302f27a34922d520d1badb921d4

memory/3784-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3784-31-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1252-30-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3784-36-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\ScriptTemp.ini

MD5 0c2d784bd54aca1dd4a4d706f3d19aad
SHA1 e7dc8b81360f48d16c38f22d0d43344f91b49124
SHA256 6e060247f4a0fe1dab28b6a9aa302ab4db1686594061db087ac8782ada8739df
SHA512 6943d17c7597cbb7207d88d5f3805673a39f3a4bdca4a428f628f1f0a1334a93af90f44c26f4e59b3d265e961487ff0fd2b8d09cdc6b6057e3004d56d34eca5b

C:\Windows\ScriptTemp.ini

MD5 43c92082c832e330a8ed7cfe6b991f3e
SHA1 92d063b660ce7f738ac66bd02eea5c374310c107
SHA256 12d96013c0d56ec7a88ddbcdc3c85e97311c230078d04d1146e75d6614231d95
SHA512 ed141e2c973dc7b6e3ebdb8283d15759390d459962dec6877c496c5959516331b86caf30a3b62d2dea892280a550dd4cb350abd77a7b829e7a7c44b608f51fa2

memory/1252-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1252-17-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut6DED.tmp

MD5 a17762dc8329359b11ea9ca9eb0ffe27
SHA1 a7214744a61a1ef92a79d1148a81fb55abff64c0
SHA256 2f7c8f3384995341436fa90c1a9e545613a57e1ab9e73d90d0774c819844e731
SHA512 54d379fbf28d2d1d6710150a4285f1ba05e553e4b19708c3ae6fc866f3ee8dc5189aeacf5fe035f45716a68399f72a46d58e824cc7e10053a833dac01f9f1501

C:\Windows\_tempheukms05241136488756\digital.7z

MD5 caf71eb57c23ce0d6703414893aed947
SHA1 25283ba2bc76b5af929e52a15de057198b843f6f
SHA256 7541ec02a4cbd62690d9aeb06d922a7382bcbfd7d17578a9b69cff3868b096da
SHA512 df3866bf09bd97c70d1f2488462f7c739043f8816192e7b734a70fcb8a377465aaf17799392d7ac173b090374f52ff71f6b7bd7a18ef9295452098720b26b87c

C:\Windows\_tempheukms05241136488756\cert.7z

MD5 5ffd2c6dc5dc2dc07fe5cd45448061f1
SHA1 a08c603c23a0fab43cd3903042de8c2c3cd26322
SHA256 7fd98aab6bac7b6264b2ef3ba7818c0521ef02793631f9d23e28929804bab325
SHA512 aec152ec9cce0917256a7d3fce49ae3cec43abd0dbffdde25a2eda52cd4bb6eee55f63a2169680a7b4b0e6c0792514f70bb1d0e397f627e87399b67ca4a0a61a

C:\Windows\_tempheukms05241136488756\DigitalLicence.7z

MD5 1843ab0c616447ada3a452f01bc0df8e
SHA1 1f40068bc1ad5469768752f7b25c07b2567871c4
SHA256 67b0363a14716d81a7322f229b634ffa61161f80260d0e0c16af5a18bbae2b91
SHA512 153d5eec9a73d63b12d0089cd25c70f5a2c740eeb138a73beb096049693a685c08c8d605e536449cd7b1e0341796f3f1a3cfbc4d9ba9681c3390cd7041b92425

C:\Windows\_tempheukms05241136488756\OffScrub.7z

MD5 05c11f2664d4ed209b6a0ebf198f56bd
SHA1 0e5ea1e0b728d8b2d5011bd6e56829b8dfbc8e68
SHA256 efe232e3e38e19073f438408a892e259d5672e46ce1469c73a7aaf6ede58f7d1
SHA512 81e2b5d96081ed19bff4da930240119e55e67990fa264f4f948870ebec8a3b13fad8c8284aafbd92dea35db72dbe06f10cb0dc2c5084cb51d2e07440c5f4fc6e

C:\Windows\_tempheukms05241136488756\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Windows\_tempheukms05241136488756\ScriptDir.ini

MD5 8ae2dae3a0651c88dc193f63deb0cdee
SHA1 4466469ed06e699dd8647263c4060fec752c5cc0
SHA256 b70662ce78f1b79d25502b40e95718f6f118ff4526f7e8153adf785e90e11f50
SHA512 1440888a5703c818053a3e7de13410e65dde4500ccfba3e1161eca05244fe5f4a7309fc1e20fddfdedfb669fdb0ec3ca6577a5f42b4400c06b1205e6929f9058

C:\Windows\_tempheukms05241136488756\HEU_Configuration.ini

MD5 b74971f1fe581cf08e8f69124f5f2bcd
SHA1 dc56ff99d0204bd44928a925054f52d1c38c68f1
SHA256 b7dea91768212bc915345f82b9165f3bdef0f4333ea6738ac800758296fb5b00
SHA512 dd66bf6d9a03eb10027ae739ab2a97a481fca8778a4a5546275a2e266fd022b1e02b91d3e2d37d86b6c4bb7d895575b0b4cfa6d7c8289ff635246585fbde366c

C:\Windows\_tempheukms05241136488756\HEU_KMS_Renewal.xml

MD5 a381b30e51ac126f51f421e082de0ea7
SHA1 5f847e828bd7b5dd0d02f4c505fcb084c69b068c
SHA256 84de47c26a7379ef5c31ad5452372e7477bfb739e2684d31c0db22cbed56d401
SHA512 89cacee08884390f06f79e4e41481eb90363099aa7da960ee3cef8cfcef03623105fe0be7ad2c88077b42ebc5efb21e5d713607850f48a191708298f34323180

C:\Windows\_tempheukms05241136488756\HEU_Set.ini

MD5 5251be66b4b2d836e6ecf183a3ae83e6
SHA1 e0f941232d0c3ba8906ca12b9de31d9b95495503
SHA256 eaed66f92ebdcc94dcf567a7e20ecff799751ded4cf563dc633c5bc13cfe3dc7
SHA512 bc996a2ff9bb8d2c9caefcff37449bb757a9b1c70bdf5473ac4fe45f6ba6d00c8d3efbc9d40b6421e12a28314515e3186625f73c2f017e3ca51bf1fc433b3a20

C:\Windows\_tempheukms05241136488756\kms-client.exe

MD5 a83db3ac36bf6c660518ea41f6db700c
SHA1 2b98346e8737e50b63e14da9989aba8b61e99ce6
SHA256 47f5b3bbb071fda3f0540e1658a9d08d6526bfe2525288a1ba0c6d093a16bbf2
SHA512 e88b81c70059881fbb518719366a73e47db753b409391cf710c89c2e7f19e396d012a1a98ffb4fc9d78dc8ba96051234ce6255c1a6fb8548f0b66b1b0e8987d2

C:\Windows\_tempheukms05241136488756\kms-server.exe

MD5 fb8202b9093d817326b3102ef4157964
SHA1 ee874efe4712035329c0a8e04a67556a8b8ac56f
SHA256 e9b964b13f6363997fb27078e2a21ee7f73cdaa0100aa29db45e63c5aa3220ce
SHA512 bb0dd7da730a5229e332802f320d7ca9d220612cd22d8463578d492d4fb4a8ebf9d67587ad28d1147a17e91ce85af32ab7bf46583713590a09c61d7a3eb0cb0a

C:\Windows\_tempheukms05241136488756\kms.exe

MD5 6b0f259387d98c8cbcbc9e4ba727106b
SHA1 de746304596ad5530de973ee15626adada3793e0
SHA256 0361a5d5a46071b36100a801fbf8e7c63f023e8e56d80271a0382e3d1affae18
SHA512 3ee15aedf02538dc5bf4f6132e12657a01f356e3ec73b6176b6693077db221c7e395e6da05b606b5dcd6e31428c15472d363d4b39cd3bf7126b4c7f4ff82ff6b

C:\Windows\_tempheukms05241136488756\kms_x64.exe

MD5 a64024c4871874c641abe4e601e22385
SHA1 d3a4e04450654202c8f13c33360ddebb0041f521
SHA256 c207cd6fc79c9ff1444a2c92b456f504c87aaf5dd9733271c8b0a00781188a70
SHA512 389363f57ba1dae6538717cfc253674c37be0e01fe6be1762c38aa75c4979bdcb450929eb14d6701b5df1109f6b60809a10a92123c3781a97f74fbccba004d16

C:\Windows\_tempheukms05241136488756\wim.xml

MD5 9d2a8d70c850ce12bd258a5b22cdea52
SHA1 f9ab84a64d00d9ea65c69a3ac25ae1536c54c934
SHA256 1b96471c5bf67a6c440a05357a29e7b20d04ed2fcd2f83f924a93e29a1dba239
SHA512 cef8f1c341756eef28e38085c3bb460ba14af0f8141b63c49f8ff0c453455973513d2ff571951f085f36e4057e60e938f5e327fc94b3946eb82f4a8e76bf787c

C:\Windows\_tempheukms05241136488756\SvcTrigger.xml

MD5 ade0007995da8218a924eae18dd5ffa4
SHA1 de4480d869df4e45e666e3ba74c87786d2ba01e9
SHA256 6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352
SHA512 25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95

C:\Windows\_tempheukms05241136488756\SetupComplete.data

MD5 13e06d184fff389461413b492bdee1f8
SHA1 3977c70724a67be800f9b6cdce67fe78fec9adc6
SHA256 c7a8b216ba576b07cad119be0c82be0180d8e55bb254102ff3efd46b4b7c8036
SHA512 ad6e766eb8125918dfd4e9ab8cd51de1120c084f0f9571132a3007c01397e953f0fdd0dbc9f246b32fc7fc406941794ef1c8dabd613d28c2f6419f21738fa3df

C:\Windows\_tempheukms05241136488756\ScriptDir.ini

MD5 3737328a8daaddfc95d274a856d9acd0
SHA1 b3260417cced54f7b21485cac815dc059fd3aaf5
SHA256 d59f5d6fb01d0b1b1f21123769c6637e5f88369ed6909ca42e5cba018404d887
SHA512 872336fe49b7a2585464bc769d0c2fcf307304493fffe75128c218b4283871f40299cb500350d770fef27174198f1e1e70705bbf7e1a2ab48f4bed293d98f80e

C:\Windows\_tempheukms05241136488756\ProduKey.exe

MD5 21e92db033b3c12ae0f158d24c37df4f
SHA1 db1d1d24cdef74f69ea3937aad912e81e7303e34
SHA256 6bab04858fa717c2c6f17d6267435a6500aa63e34486c5a7e6ee243c4d0a63fa
SHA512 981b1418045a4cabcebcdecdaa08475290193ed4b261bb0ca15a966f15f672e314468df22234321865c20eb89051c10916bd074a764abca5888f503fc49327d6

C:\Windows\ScriptTemp.ini

MD5 08b74276e10ec8c574f47ec25344a484
SHA1 7f4e51acde95f16ee097aa21343ab19aa6d89129
SHA256 28ecbcbea684aec42685970a3e9ecfd599556c3df539d61f66d1122a92782328
SHA512 d91d6903e833ea279468f1c5d56f07375f43069d345889aa8341c2ca943799dbd27d358164274bc147c25db1deb9b95986e35a6aa0e99a4afca7b1f449288ffd

C:\Windows\_tempheukms05241136488756\pic\Close.png

MD5 e71b36478c663f85777cd8c8cadef39a
SHA1 c622a31feb72dd8fd3a500892d5defa491950036
SHA256 64cda4f38899f8c9f51740e88f0459f6843b1d1a2b60400a42779af70fd7cdd6
SHA512 c868b1faa8d560cf76cf82ca2fe48188fdb2998423c09ef2a08bdae069a190adcd49bba89e542c1bf0c7276d8e5a95f22aa54c752fd7797f26eb7dee945a4827

C:\Windows\_tempheukms05241136488756\pic\Min.png

MD5 7a2ce401af45e36cbdd5d61043e48d92
SHA1 84d65c79df30a8d05ae48c040066dfc72e76e02f
SHA256 d316a0f310f74325f57416d89946aa09e6e7785bbfbba3fae9fcb3b0e5f8c741
SHA512 d29cc67cd8e40f3cd4ac28ad222805fda5af27dd9bb83c0cc2caf76942b783c57d68ea0827377eb48cbbc0b0f121741a465f87c3bb70ae7c94576e7d950078d2

C:\Windows\_tempheukms05241136488756\pic\Setting.png

MD5 547b1994623c0bf11e5cddd515fae9e4
SHA1 94622ebf0ca77985ebde633fab653115d55085fb
SHA256 91c6eb4d8c09e9fd8ee2ca6f7d8580698e5fb24a6335b6315b0f88662376f706
SHA512 262a0a8defaa2cf75d7077f3daf2aef71b82d3c036ca865b65286b3cc7a4d6d46fa8f7ad0eb602d8cf16ff67d646ca4f9c5a8e2202d56556025d9e053913c88e

C:\Windows\_tempheukms05241136488756\pic\skin.png

MD5 ca9775a98825ce6705418f15ee08eb6f
SHA1 00ec33d8677092e9cfbfd24660b62ff97b7a92cf
SHA256 d9c6a796ca0edd6ccc838dbf55628973b999c63e19af7a09cff8f86ec1d080bc
SHA512 5e255cd1ec2a84da856e42f1a244dc7b7616c3035e8692650c1572f218d163954449f25af0705009ea00b2fb89d44af58903bf6f06b7e934f8c01f075f2bfa7b

C:\Windows\_tempheukms05241136488756\pic\Color.png

MD5 e526c2d1ef30b88f42194565f5d0b4d2
SHA1 d0d9fe934b97e7e1f7de3fb2ba985e8b92306f89
SHA256 9743655c6c18ccfe763eb5a7b3b7b1b59d253d04252914457d9fc27e1906d255
SHA512 5631f38662ded91dc930f5c33b2dd6a447c02068209b3c27beab8db35f5e437d3171d7d6caa346a903396179eb88429a6ced7b7b6d07dc240dd284c757ed7d35

C:\Windows\_tempheukms05241136488756\pic\smart-1.bmp

MD5 8022a6caed299ad3afc870cb6c0d28b6
SHA1 cba4fb19b204e324b730b0609c282f7ce20ba824
SHA256 001f4adc1266e944c63bb0e823f387aa342694ba77aa7c001dd7de3800e19b88
SHA512 95a1670a46e6e5a8d4ef76b6f5ce4a81c376d8f107ec406cc688c94cda4b62872064170a90afb536101713558fdb0750e2d629745da0d649842a232333e7a935

C:\Windows\_tempheukms05241136488756\pic\smart-2.bmp

MD5 0edef2c665f84021efa62f8edbbf9b97
SHA1 817f131bdb9f661df00be5dd4db111aa6fc51c34
SHA256 f0d035596bade49f611a59fd0d0568f10030ed1ed52d8d524671be13d7d5f2f0
SHA512 496049c4b20b8adcb9b4dcfabc8832332ed299a14e90fbb162993470ece28c74983371b35b39205c591971b3eaa693ed53c497775e28b723ff29f6b50069e6ae

C:\Windows\_tempheukms05241136488756\pic\1-1.bmp

MD5 e0833d8bcd690690ef879ce9ba3c11c6
SHA1 135a54bbc8ee0985ed461cadb5f047595e200a56
SHA256 aa14bda30d6e8d2a7b16bb3fec8262baa3736986edefd054689f4efe530aa71f
SHA512 efac0a3e3be8888a1600682e1a9eb87da741f8be26ba755341640e866d88b3241b5c00b25218ea67fd9030c0b03554b7ca2702d65cff45377b1a7a64a8d58452

C:\Windows\_tempheukms05241136488756\pic\1-2.bmp

MD5 3cb5c501213ab8c6cfe12fd92b529143
SHA1 90acb219726556f2f4bcf831a56240c61dc518f8
SHA256 e1ed58b8341b07f1f1eb9dd379206d4b81acefc1f7a487b77c79c3ed2886e33b
SHA512 9b925efda06bbb358f7cdb9a29bda2c411a5260445cf7286755dfbfec54eb413e34759f89a329361fd20dbc39df576f35fe81bf5138070a3f3cb0525ac4681f6

C:\Windows\_tempheukms05241136488756\pic\5-1.bmp

MD5 6ea083bd67cd3a4433476ec617312af9
SHA1 84ef840c98fc31bc93ad04cb0875dd1042168c64
SHA256 57759d7ebb145fe8d3ca830f563ddad615a12ca569f0e0e44c2db471dabbe00e
SHA512 5f18cabc3b50a3d4f193423f211071a2e4d17a1325593892deb8282344745133e7b688bedcb4a015c0163a473c36b696728348303ee1c66d4debf59cdbbe9063

C:\Windows\_tempheukms05241136488756\pic\5-2.bmp

MD5 56c1052619ced459ac5869cdd5e85cd2
SHA1 1db42703988b429f035b0b433461950e85ca7346
SHA256 d356d45501bffe21e0e9587022f5fc01f31db5a96715f72ec216a52a94453dcd
SHA512 161ec85d0d54d70f2126ca41a5be7308c18c8d05aaff6127fdee50e937749b2cf721423a8da858ab250e83a16cb7827e9583b8d56343ca0b5eb263acf5c3f2c3

C:\Windows\_tempheukms05241136488756\pic\2-2.bmp

MD5 fa2a0513abd15f913c8cb2baca80085c
SHA1 80386b9a0efa1149334f9917578316f9dd943c84
SHA256 a02b832b8576ba7973e78aa70e482443110a5c681b4d9ce9a32c99cd2889582e
SHA512 77b602b31b9958af757b168f41718e52707869ae7b275bd0f37d58ebbbef1cdb9db8bec2b84642783ddebdf4da06a45d48c6f28c33118ab372efd7b727124e1e

C:\Windows\_tempheukms05241136488756\pic\2-3.bmp

MD5 f4dc67e990a6e81e5b27d5a883ea93c5
SHA1 9e26590186bda1174c69ed2572074794d522e096
SHA256 5a9b4aac61c2f7ac2e4e65030bd40d7323402c1a2b0cb65a92bab84224787e9f
SHA512 d6ca29df6a4189aa751e122016f16f6ef46ffef56bf6e01017fdde5acd85fec6bc965c8809044dea13a59b3e652bf2da857211cb59a56b3cc7534e2e974b7749

C:\Windows\_tempheukms05241136488756\pic\2-1.bmp

MD5 afb60ed1ff996a85f0e7cbff94248ae4
SHA1 c62f805d42e7d9a70af8d66d6e226351e9907962
SHA256 546932dfd2f371720662d977bdf20a826d29f39354135b4f65ed06eac4fa7119
SHA512 c1ca4710ba01e96c4a28c3a23cae6073f1d59ca070c20ca3b25541525f75212cceb2327b8e99b4d321f5522535c86206ebe58e7a96d15749ca29f501c34fb22b

C:\Windows\_tempheukms05241136488756\pic\3-2.bmp

MD5 f58f7c0d4e9543501fc24c7c40d05749
SHA1 bab6cacc75236d306b3f7b7c5c7983694577fa20
SHA256 af281d2a72d60d2270d24bc75ad4ade7f2dc27eaeb207122f19cd9ee12d39df6
SHA512 ac7f2ab63a22a501e6ab3baf6f6995e01ec04df4db13c818bb445e9d5323bacd39b72bd9d3909ef175c4c5f4456914b7abc02e4a4a6353b5f5b1346e1a026515

C:\Windows\_tempheukms05241136488756\pic\3-3.bmp

MD5 6bced572118957cdbb06e3ea7edfb1b1
SHA1 c844b3a797052062a41c93344df10e7c0c000d49
SHA256 1e33d33c3a829d7919e5bb6980a2677641d3cfbdb844347be8ba82f8445e07fa
SHA512 e52c8074b8d239a5f756a13221b66d91e0428ec12d2a785bbb98935ccb7eb2ca9f53a5fbe54a87d5631b8cabbb67076caafd520b428231cf9bce0e3c7b23569f

C:\Windows\_tempheukms05241136488756\pic\3-1.bmp

MD5 eb844a94dba2c7db8b3d5d358826bfa1
SHA1 89b84a0e2d4d2e59f0916cb7eff8178f0f109f46
SHA256 42e6e8e78c5a13b195140952cda5bd6468d7e14ef0c2cf081839941fe6426ce8
SHA512 e75c572766afbc9225a23c33a0f08ffd10ac15cf9bcdfad0060f347894f3be76633600d863acf97ebc9f9c4ede6d58988c05b1f0f2856a9f2eaae5e25ff152e7

C:\Windows\_tempheukms05241136488756\pic\4-1.bmp

MD5 5ce46152706f7d7b5d48a088cd15a8a6
SHA1 f7fbce4fd7e646a6889b80d58f2b1292d6f9e680
SHA256 d7d93929f032db7a0b6b11f09e58ee3d2260c45f2861ffb95753a983d34ec337
SHA512 392443e7959098c653ae9640c59734ab51784f6e0af142a280a44359c0238ab4d8c9fb255797f0f3e64612c133e18e12bd0b1341f661dd65e54c7bec05a4829f

C:\Windows\_tempheukms05241136488756\pic\4-2.bmp

MD5 751e2e1ca20bfc4b662084638ecc15c1
SHA1 a010d6551bb2c40ccb7fff9a7782df06df7716aa
SHA256 3e6fdd20c78c83596568133f651c209c9f1ecd98e8698f209b27736343767314
SHA512 7e09e7f70ead62b1265b5fdb972a1c7a2fe2a318e90ce4d630fb7b999498f2fc9909439177ff03eb7970106bc5fc7ea083a8498d0917ccb8a3d965cac74b0fd6

C:\Windows\_tempheukms05241136488756\pic\6-1.bmp

MD5 d2dde87b25bf39f9f3a6d53ee490c44c
SHA1 5eec04addcb350fc436a67841dd159784f417279
SHA256 2a15651060e3a526e84ce8ea31f08b879ff578f4e280cd9476cbabaee298d138
SHA512 82f08e247582b81436504e71ce40efd7afe254aef8bbc0812bd545c8c908729909890d57641727febdf35163b832066537317eed8b1c1c2cced0cba7f6fa8b06

C:\Windows\_tempheukms05241136488756\pic\6-2.bmp

MD5 83feb1292d3c5ca59bf6ff471fc57442
SHA1 b9d793a81321ab9474c357408fa4fff11cceb79d
SHA256 e81611c330c9e4d9547c79336335a3edfca4297add5ad55d221dc77c5bf94ab2
SHA512 1aad3cb84db641d9500d09a530b358d7e41410f030984f50278bee89ca2dbdfb21a2c77482952e70f3f582f154912790b3c18376c97f3c7cec9bcce33c9b5f0c

C:\Windows\_tempheukms05241136488756\pic\7-1.bmp

MD5 de93e767f60320ca8bef2754f3ee0e6a
SHA1 5b20b939db7a62de09595b93234600c50b6587ea
SHA256 8984d81be5dcd0d7472c175e65a7f4c083340b4e32878e32693aeaae6228e492
SHA512 8fd2de6e167ec500682cdaa5aaad0a10757103c55f900e7474bc502dfd03776bdf3807b46e87e8ef030b743ed998b0ca8384128da74f9f9e967fc8996a78640e

C:\Windows\_tempheukms05241136488756\pic\7-2.bmp

MD5 23b3c0b4445d30081d5d2d7d1ea46509
SHA1 2b2750baff4b0b501061b8bbba5c898b6164130b
SHA256 b4d5349fd6313734ff0f79c1f559fcd82712aab463393cc7f595279065fdde26
SHA512 e400f12e5252c5490fac427a635d011f8c6226ce13552566a44afb842781edd214fe18dc698f6fa9089e3e095d9dd466e76278fa213240fc3301f79abc0c28ce

C:\Windows\_tempheukms05241136488756\pic\8-1.bmp

MD5 17a27e0183f025009e0e9ee49d7de45d
SHA1 77da51103a60338e10c10fd13d74164e0b2f1849
SHA256 e1e763a89dcc1d346516a9123580c8e540b47062dbc4d666036fb0967bf08306
SHA512 1b88c3bc2bc01f056ff16d3e10f22d6d435c3c70142e8dba90d59b2294c335da70d806e19b08b7a649b017c87515855cb2a4da362bea8a86cd7ea93a834e2b34

C:\Windows\_tempheukms05241136488756\pic\8-2.bmp

MD5 adee5867f985b7e4c11a4433dd225b1d
SHA1 6c0b57835210c7a9909aae95796b0e1da6ed63f9
SHA256 303f15369554d1e285b4a90581d45a86081d3700895b387263b5bdff46ceb687
SHA512 1677144c620083b5894a285cc32cc5a552f792e489a7183b0793336d7dfd100aaeaef4295815cf966ab41998bcc9d5bb0a2e95e2f3053d7d8c39909ed4526b93

C:\Windows\_tempheukms05241136488756\pic\9-1.bmp

MD5 043d647ae29e9dd859ddba50d204c5ff
SHA1 af1f095cb9a1fcc838a5ea5975601358967be197
SHA256 0cc4107a5b9319de1b332ffae35b60476273b0bdb3679312087043eb77d7e95d
SHA512 5dfaf6b6d872f6257974910908ca8a2e9a254b87cbc1cbbbf7d9c7d1fd11471ee3be54f42da403fc7162b80522199c4f0472c10542ecddc0ae9f91ed1a525885

C:\Windows\_tempheukms05241136488756\pic\9-2.bmp

MD5 86c160c68d550b7a2acb6b46c0fdd25a
SHA1 b2ec02ca7d571d2907ed114dd46253ead04bcd05
SHA256 f6bde4412f12c155a4ad36f1084bce76292d16597e32942e9818ce3fb75be8ac
SHA512 a3c1301abdea7f7acd5cb1cb6cb61df900f3020d7dfddf6be382a57dea8e25abcf9fbbaff7422f23a0130213678748d73addd8c70803f9ec8a63051bd62e3c16

C:\Windows\_tempheukms05241136488756\pic\10-1.bmp

MD5 88aec5f3833949da9c9e1a75fb1f7be6
SHA1 a4db450392cd24a8d258cec86657d539d6170dc3
SHA256 d8989332a09e0f0d099ec3cc50bb95a9b9b4b2aeb2d735f0d1a4ffd8ed5f246a
SHA512 78422f2ed32dfbc80896062a10e5d58d8d8b4dff11db9714e036621c5ccd44c3551d3988f10a03ab80ccbbaa5a6a3d45cd68c307a3b87a6e5161aca8d3c2416c

C:\Windows\_tempheukms05241136488756\pic\10-2.bmp

MD5 808072808e6ffff8ccd6f6878476e5a6
SHA1 56871b1ec67c978fcbbc07fa7a8d63bcae947c6d
SHA256 0a5aca420d69bc4752fc52825a5cdf5017f15e55c05e1a014c3eb01dcff4c6e6
SHA512 e92960656339e0a8923941f15fe6537d64d0e1b43c89e4c01c99d8a01055bd50c247f52f7debdc60ced725406f8589d0387d7a3f48e381956b88b8331869b231

C:\Windows\_tempheukms05241136488756\pic\11-1.bmp

MD5 9dfc76f1fac5fe605e230474cb81b7b6
SHA1 bc1b282c5cf378869ef79a10111cae1736e53e50
SHA256 0505c7edfb2bb0823c34242a45ac8e60e1867dbb6a102114041a97c0d643e033
SHA512 69e8d06b584b2f496e329fe392bfa28961c707406a8e1a694a7fc72b3e9e078ff1c68fe5a914518278b26f05f6549337fcfc9c38c9a778f32d13e6f429f92be8

C:\Windows\_tempheukms05241136488756\pic\11-2.bmp

MD5 a317949559be707aa631a95adeb810af
SHA1 d778104b63e4ccd96d34b3739d23137457f1499e
SHA256 5de82be4f8d7b6b949ddf2fa8e9240dde10f61fa405d12c48b7f3948e8ee68fb
SHA512 caf218d76dee6f44845d4280957cb8b85401f1e884795fe91300d92f11096c74604d3a46b79d7119d77f124e63606d794adbe90a66f52f614f7a65715302428e

C:\Windows\_tempheukms05241136488756\pic\12-1.bmp

MD5 68bcbaa656e0bab9290d91a2d33827b7
SHA1 5c8f9d106b5fdce45d1156370e095e60d63dddb3
SHA256 33adbe2110ec619b21b30fb9463fea603a26a29c8a285ca8ffb7e2ac8c3ca019
SHA512 5c7a75cdbdeb6314b68bb342aa4847543c9c5204e6c810d35e3cb6ad470689ee5745f941c594425f7c1516208e33d8b53ccfaea0e4e9661d8084dc91d740c68e

C:\Windows\_tempheukms05241136488756\pic\12-2.bmp

MD5 a833b05a3ff4fef229bf73285bc6efb8
SHA1 f0095103468e14f2faa0b8f88301dcb4a125534a
SHA256 1fbe4d4310ae3755db6fe4a8c29960387554109f78419610e4f173fdc609ccd3
SHA512 7acb5411b7e67c962e7b0bd4c49a7f851a78290c76689ddf572c91dc4896b243aa7fe2f71efeb595193e933c3972eefbcb71e810bf4b2dfcada0dc24e2867291

C:\Windows\_tempheukms05241136488756\pic\19-1.bmp

MD5 addd7eaef8a73b1178c103661e17feff
SHA1 e62d9fc0e837c1f365385488e11df2677547f0a6
SHA256 0dc79af8aba2990023f45a6afae6e081e0dbd65b09b3790ad9ad91053b985ad1
SHA512 17639a0a6c0a779c67c23bc4f708f4fc98c03888219f9e7f6bb60ee166e16246a10b31e61fdd119d7d9fa32a6d9d8b2fb9d34786a93412cbdd7db467c133da63

C:\Windows\_tempheukms05241136488756\pic\10-3.bmp

MD5 14069ab8547a7aeb723b2786c2487587
SHA1 0a2b3f915496a5a75ef693adfbc8fd07c9cd8850
SHA256 db79399797d374cca31c7dbc4b8e16b03f5d0e75b9c903dd6b4cf18726a51098
SHA512 3ce4bf7992146de13a110298b066b0f27c5c1c583450a074c347d6df6ca867b0a7779b61bb4466cf7d78776c458dbf51a631da449a3886a08d801b870baeea13

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 8478bfdc561e59e75a97fd7a2b753770
SHA1 e71b0a5fb628a716b230fe59696e1818c87bbe3c
SHA256 ee2a3d2dd5aebc72f07ee56be21e402c999bca2d143db3c1def8c23347f831fb
SHA512 a9ebeea2deb6a12af58d518c29e3cc851617da667ad79ba26377f248ab6f19bcf22f2dfb9f63a6e001b43a75a5cbe08a093d67d143f8f220b87558995cad9e35