6997d3ef9707fd9b38ca14ae785c5eff641a909d29a1777fe9d18df8ae2dcb7a

Resubmissions

09/08/2024, 07:51

240809-jp7zjayajn 10

09/08/2024, 07:46

240809-jl755asalb 7

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS Office_12.1.1.exe
Size

350.9MB
MD5

18ffc2a9a2e45db4188a8ec632e8ac9b
SHA1

57998f5f51796f2e225abd50bc6c94c8023649de
SHA256

6997d3ef9707fd9b38ca14ae785c5eff641a909d29a1777fe9d18df8ae2dcb7a
SHA512

de2b83eb8599bc45c911fce457cb38b9049b3077c05290530649f58d413c699a1e51f2cdc17f4da9b6ae4d3b30cf7b15d8716de6b5dce2af6a7ef6fa5159e11b
SSDEEP

6291456:y43ehrvHTVOE1n6nSXfhO2d8nPkWvGmGeSIgAaeavINP8pIDzC97TJ42Vh1ovNET:+hrvHTV56ahO2d8nPpemeXv+UqC9fJ4a

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 17 IoCs

pid	Process
4848	WPS Office_12.1.1.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	WPS Office_12.1.1.exe
File opened (read-only)	\??\M:	WPS Office_12.1.1.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	WPS Office_12.1.1.exe
File opened (read-only)	\??\R:	WPS Office_12.1.1.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	WPS Office_12.1.1.exe
File opened (read-only)	\??\L:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Y:	WPS Office_12.1.1.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	WPS Office_12.1.1.exe
File opened (read-only)	\??\T:	WPS Office_12.1.1.exe
File opened (read-only)	\??\X:	WPS Office_12.1.1.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	WPS Office_12.1.1.exe
File opened (read-only)	\??\P:	WPS Office_12.1.1.exe
File opened (read-only)	\??\U:	WPS Office_12.1.1.exe
File opened (read-only)	\??\S:	WPS Office_12.1.1.exe
File opened (read-only)	\??\V:	WPS Office_12.1.1.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	WPS Office_12.1.1.exe
File opened (read-only)	\??\O:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Q:	WPS Office_12.1.1.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	WPS Office_12.1.1.exe
File opened (read-only)	\??\B:	WPS Office_12.1.1.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	WPS Office_12.1.1.exe
File opened (read-only)	\??\W:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Z:	WPS Office_12.1.1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsInstallerBF\holder0.aiph	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\Clofficewx.msi	WPS Office_12.1.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS Office_12.1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe
4480	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4204	msiexec.exe
Token: SeCreateTokenPrivilege	4848	WPS Office_12.1.1.exe
Token: SeAssignPrimaryTokenPrivilege	4848	WPS Office_12.1.1.exe
Token: SeLockMemoryPrivilege	4848	WPS Office_12.1.1.exe
Token: SeIncreaseQuotaPrivilege	4848	WPS Office_12.1.1.exe
Token: SeMachineAccountPrivilege	4848	WPS Office_12.1.1.exe
Token: SeTcbPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSecurityPrivilege	4848	WPS Office_12.1.1.exe
Token: SeTakeOwnershipPrivilege	4848	WPS Office_12.1.1.exe
Token: SeLoadDriverPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSystemProfilePrivilege	4848	WPS Office_12.1.1.exe
Token: SeSystemtimePrivilege	4848	WPS Office_12.1.1.exe
Token: SeProfSingleProcessPrivilege	4848	WPS Office_12.1.1.exe
Token: SeIncBasePriorityPrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreatePagefilePrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreatePermanentPrivilege	4848	WPS Office_12.1.1.exe
Token: SeBackupPrivilege	4848	WPS Office_12.1.1.exe
Token: SeRestorePrivilege	4848	WPS Office_12.1.1.exe
Token: SeShutdownPrivilege	4848	WPS Office_12.1.1.exe
Token: SeDebugPrivilege	4848	WPS Office_12.1.1.exe
Token: SeAuditPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSystemEnvironmentPrivilege	4848	WPS Office_12.1.1.exe
Token: SeChangeNotifyPrivilege	4848	WPS Office_12.1.1.exe
Token: SeRemoteShutdownPrivilege	4848	WPS Office_12.1.1.exe
Token: SeUndockPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSyncAgentPrivilege	4848	WPS Office_12.1.1.exe
Token: SeEnableDelegationPrivilege	4848	WPS Office_12.1.1.exe
Token: SeManageVolumePrivilege	4848	WPS Office_12.1.1.exe
Token: SeImpersonatePrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreateGlobalPrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreateTokenPrivilege	4848	WPS Office_12.1.1.exe
Token: SeAssignPrimaryTokenPrivilege	4848	WPS Office_12.1.1.exe
Token: SeLockMemoryPrivilege	4848	WPS Office_12.1.1.exe
Token: SeIncreaseQuotaPrivilege	4848	WPS Office_12.1.1.exe
Token: SeMachineAccountPrivilege	4848	WPS Office_12.1.1.exe
Token: SeTcbPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSecurityPrivilege	4848	WPS Office_12.1.1.exe
Token: SeTakeOwnershipPrivilege	4848	WPS Office_12.1.1.exe
Token: SeLoadDriverPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSystemProfilePrivilege	4848	WPS Office_12.1.1.exe
Token: SeSystemtimePrivilege	4848	WPS Office_12.1.1.exe
Token: SeProfSingleProcessPrivilege	4848	WPS Office_12.1.1.exe
Token: SeIncBasePriorityPrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreatePagefilePrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreatePermanentPrivilege	4848	WPS Office_12.1.1.exe
Token: SeBackupPrivilege	4848	WPS Office_12.1.1.exe
Token: SeRestorePrivilege	4848	WPS Office_12.1.1.exe
Token: SeShutdownPrivilege	4848	WPS Office_12.1.1.exe
Token: SeDebugPrivilege	4848	WPS Office_12.1.1.exe
Token: SeAuditPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSystemEnvironmentPrivilege	4848	WPS Office_12.1.1.exe
Token: SeChangeNotifyPrivilege	4848	WPS Office_12.1.1.exe
Token: SeRemoteShutdownPrivilege	4848	WPS Office_12.1.1.exe
Token: SeUndockPrivilege	4848	WPS Office_12.1.1.exe
Token: SeSyncAgentPrivilege	4848	WPS Office_12.1.1.exe
Token: SeEnableDelegationPrivilege	4848	WPS Office_12.1.1.exe
Token: SeManageVolumePrivilege	4848	WPS Office_12.1.1.exe
Token: SeImpersonatePrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreateGlobalPrivilege	4848	WPS Office_12.1.1.exe
Token: SeCreateTokenPrivilege	4848	WPS Office_12.1.1.exe
Token: SeAssignPrimaryTokenPrivilege	4848	WPS Office_12.1.1.exe
Token: SeLockMemoryPrivilege	4848	WPS Office_12.1.1.exe
Token: SeIncreaseQuotaPrivilege	4848	WPS Office_12.1.1.exe
Token: SeMachineAccountPrivilege	4848	WPS Office_12.1.1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4848	WPS Office_12.1.1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4480	4204	msiexec.exe	88
PID 4204 wrote to memory of 4480	4204	msiexec.exe	88
PID 4204 wrote to memory of 4480	4204	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\WPS Office_12.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\WPS Office_12.1.1.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BE30C524A08EA2E99A5AA418D4301CC9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\Clofficewx.msi

Filesize
4.2MB

MD5
ab81df6e4ec8d98854795949ef2285f5

SHA1
95cb732eff3d856a1f5e21c34bce071cd9821271

SHA256
3dff594d2d634646ed21d2bdf3546eb02ffd9057c1891aebf6a4871f42f05b2a

SHA512
420ab89019f8fb98725734d1eb0ef0e397a7879b50a81429d3d1da8fbdb5e204eaf711e4532f6dd5bd0ed36741cd397512a53a078b0fa423334881a7fe09d857

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66275e1c20a59ade4c1ab234\1.0.1\tracking.ini

Filesize
85B

MD5
e77cf8b9f8de305305c70959c63f8f81

SHA1
08de98aa1137a0fb5756b83a4b314c926fc58544

SHA256
a16656f54e38b8552df944bb6c661480572009df9802985bf19a2c2e6c1494de

SHA512
36f2d8e9d03a47e6d37ba91b26fa1462a0ac0e99d9da8a03e7ae4c8550df6935760b364e6d75ccf0e0c14495793fd3ec0e596c4f181815148f496c5a73ba4b67

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66275e1c20a59ade4c1ab234\1.0.1\{5B572A26-69E4-46F4-AEEE-CA22C2E2D544}.session

Filesize
28KB

MD5
999487c3ac1388d6159b8852402512b1

SHA1
e13a9f8015f842696379e7a751e240e2eada0a46

SHA256
cbce33fc00b6c827b89c903297378e1602b787195a70c88589f78250c14f8420

SHA512
33e2d8e3603dae7125bbb0e2fce142cd30f6a8e5d9a974ed37946c49f2cabc3a8db2b604c5b52fbc4e5a64678bca12cd076439ad4eb25fe0f844965d032c5a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_bottom_left.bmp

Filesize
92B

MD5
0edd17e9905d463ce23fbae64563c8da

SHA1
2c26d30e1b7a5761f5048d9494349cafe40979d9

SHA256
237e098ed029198e9f7cfe71babd6bf9ff3962ed78a263dc7426ea663e601467

SHA512
fc358ad0f2e482ad51af201f2883259dfcf0d577db1be8cff2b9048f22827278cf0cb8a3f76475222d86be7e945ce9b34aa9b86fc625c908ffaea0ad6b1ea2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_bottom_left_inactive.bmp

Filesize
92B

MD5
1b38ef93df0c5d4c6c2a10ca0115a28d

SHA1
17fa1779a66696f9ee1406da73133745eb4429dd

SHA256
4292ea3565b63946777d999352a1986e8f5950f1e8e51f030443f05dbdbde57d

SHA512
1b0b3c6fe0f359ae383d3d5b069341a900aff610e91d7752d4290fafe11ac73dff3ca349deb6599a6d358add4c769ae6cb05c2b751dbbce738bae4082167e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_bottom_mid.bmp

Filesize
68B

MD5
445b2b911b105ced9b1a3a5caaa594dd

SHA1
c326010a040a6d19837360907745a7a05982254f

SHA256
ecfc46e3ba63cc8d7de04134a271b171d9efd714e4ce9611115836a5b4518e63

SHA512
1ded63a90006bd2bfddb1de399d0cb483e52a94113e43b3099b6bf3dc7a9a0c7ae74249ebaa600d0d184615661f2ff557b62ed65f073bfaefc4f84e0cb420360

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_bottom_mid_inactive.bmp

Filesize
68B

MD5
7610648b8e31404e1621a7a5b510b86d

SHA1
d51d517a8472bfe40c469afa8869385d5a0e9783

SHA256
48837b62a6a6bc71359ff74bbe8a672d6b23cc30344c12e006698f069890a2b3

SHA512
24b03969fd28de9919d86609bec03e6ed732ed78b8e0de3f2fe5253180817d1471e3ed004abb5ecd91885b6281cef1b8e508e38e6f76fdcfb88a29e308ac78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_bottom_right.bmp

Filesize
92B

MD5
c288357164d52b2cfd695c792074323b

SHA1
c8b7b1ddb78c929ad56d8bbd57ff5449afa04be3

SHA256
709d6fdbe00694f7dc115e923188f62cdc72d39e739280a1aff072d1a49d2674

SHA512
8d07e5c163c9e4b0d04a861e00be1f578d7a77c2f3eba80deb3895b2b354d4015ff1905a2dfcdccc1b8ec839359dcc302e09f753623aa7f0df212540ce8a56b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_bottom_right_inactive.bmp

Filesize
92B

MD5
2c84c848bbcd7bd57579d3431e8a363a

SHA1
5dc73f68798e73318d03979810bc00a4e94956d9

SHA256
f212b152d4647edcd36d2218713296afbf9ac5e86965c309df8f245fb89a06e3

SHA512
5af2bff30850458ef08340fe4ef9ae9e78d5ae1124c3a9dd365b6dd0e97a30ba079e466ec7f127485f5a89be7350d27371fee665b9d6214cd94532ed346effa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_caption.bmp

Filesize
144B

MD5
a8a4420fbe5dbe8fff5a4457fbdc0923

SHA1
4475046bf4a5b7af62099521d2a28df47eb14fc8

SHA256
4e504366b5a0b48020ee2e29beb17092010cedb50caa9a901bd6b2e921803582

SHA512
dac1a4fce6a95b965259eb7b92fa73bf532f3f2af929d5930538e16a2bab40d58384ea924ce63dac9235cb6e5585171a21b835ec2b2e359091bb2c7861263bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_caption_inactive.bmp

Filesize
144B

MD5
3d8494dd57ae17b57726e6530fc60237

SHA1
09b19ee5fc72b2a07452ed242983c464e2ed5eb0

SHA256
196bf30cc41139ccaecb41584fcdc4a61842c246f81a3c7c4a6ba2a5bea4038c

SHA512
3e02e2c06c922ff58c7a6bb9e6b320e7e9a1dc70cd283986657b02ececf41219454a1d64b5fc02733744f1a2d31b507691b6854e362639ff943ad5e719238343

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_left.bmp

Filesize
68B

MD5
78e5adef0e9078c2a76ddea85c1c4dc4

SHA1
8da1ed8372eea6f5ce10154a52b5bd9bcbf1cc18

SHA256
84cf7696e5b73513bcf78b1611de3fac76e9f99cf9112dd9ea963850441b62fe

SHA512
a1f6ee057ad820ee4fe4bb9b9c7703da8bb9e47109ee384e828e6cb16cab7fc9a258e39d413ffdf40ca51e2275737f0b68acd32cf7c6577ee9d7740069a3da07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_left_inactive.bmp

Filesize
68B

MD5
39cbd0b2cf89509c50ee74963f89f70d

SHA1
777755cb3e7eac9f8377552820dec7bf9d48fbfb

SHA256
a46d900fb1d3ba41e6f608587f4a4a414314f48a56cdca10716491415d38a07f

SHA512
8d4486150f12cf144d242735c9940c296deafffa4fd92029909f7b402c4f26f7b3e8ae9f2dfa5518edf5c8bfb6b622b6cbe3cd6ef39c4ec40eb601f3c51b310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_right.bmp

Filesize
68B

MD5
2e805b0982cda361e322e201df8cceff

SHA1
a199d51aac3ac44c62b7cf9afae22eea7932c63b

SHA256
c3f2a56930697c4db1ea99bad9f20d7b750f5795181a63eb608c57b7643edd22

SHA512
dade5a2dec58631d4f88129012ae941465397fb498ea52010b2c3abd1e7130d73d47c78bbea0a600b868bd655c2e2b1a141d683b20c7c01099f8e8f116659785

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_right_inactive.bmp

Filesize
68B

MD5
171e23cd227d985b89098c5cc632c144

SHA1
2349eca4f92e1d4dcc2d47bc3d166a7081a5485b

SHA256
c9d87fc1e021caf801e31e1359d3a13e1da0c484e3a21ea173d352f924e1a924

SHA512
d9ae5802b331b6b8f38e129bd1e4e07270b7469df2ddd627ef0d6dc7f1cf33f87c334de00ba35c3033108876291c67aefbf7b34b9434faa42c79a2aae6b4f036

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_top_left.bmp

Filesize
556B

MD5
d4757da90bf3a96d5ca1b7d8fedf0a1f

SHA1
c4be7503191c6926ad33853b05cc43ad87a6b1e8

SHA256
0e8b86d175526133e239a0a4dc6308c6b529d9b2db2e469ce5098a39f3432168

SHA512
b0fa9ac1b48e4c2d9e4289a65a4f8d46edeaaa5d43309089d67778ce72c72f2e352a792b10c24146c75e604f83158e5b0e665fc70df9886dfd4128f4b1fb2471

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_top_left_inactive.bmp

Filesize
556B

MD5
df94017171d579959895edc072d39120

SHA1
0c0facceafac06c603f125cc170973851796d961

SHA256
706d0ec93ab304f05f6d3b8b9da613ca404943e9dbff9061984b5417f15711f8

SHA512
2576993c63b702ee9c6428a7d2698f94d6b7afb5277b60a0f51979ab7494651ea68ed46c0448a6f7d6954455aec9dcf17755cf20e666a7267197adfd4d162a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_top_mid.bmp

Filesize
68B

MD5
440363d27344241cf3574cdc43cca3d5

SHA1
cdeb4f94ae64c5bbe4740c3773e9ea8c8502cac2

SHA256
358fe1e6b51dd850c2463506d20d341b6ac09194ce0844734cd5386a4d82692b

SHA512
4f7edee0f1e294995785f792ed03b74991c8cf8a750e996477fc8590e0645187fe9201bc4847cb4fcb790bdaff0ba29c4fdc7f7a088180514583eb3fda29c58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_top_mid_inactive.bmp

Filesize
68B

MD5
fc284f137a181d626cbfb9b980265a14

SHA1
af1dc42b8706f65e80b5aa021da38e7c48bf5ac5

SHA256
ebf14004abb9171efb791d5ed78d6f028f09775ec047bfe2bd9a3ad4dc431a0c

SHA512
aab8700806a42877b1b09379a606d49426cd0fa62c0856cc64bccfec6ed1e67130a908fb8d4feba6c6d1b8d530a5acb380fad9d6ed1a170103d3a90a35a788fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_top_right.bmp

Filesize
556B

MD5
50656c6f33cb1490eee92cfcf2f4fa80

SHA1
ca5a3fe9b1f6130e6452cedf5d3734781f6e150b

SHA256
ef8fc7a18af77fed42bf20fd640543b0cfaf312a4c9dfc0c2f35ce1af9ae58e9

SHA512
b8e2e2945fcb5699e063bfdad3fc6ae72be96bf342883dc60b8ac81c4143888aa23ccf237b935f56b5f586afe4772eda39b443e0797385ed358638cb7052eec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\frame_top_right_inactive.bmp

Filesize
556B

MD5
4178d84d2cd986063d2a7c91c57295d2

SHA1
fc5ea9402cd9c325716a2b79d070ac3e756c9f2f

SHA256
5365b988c102e46f73418ec36e0de5b1749c2080c3d2da660c507a9c505f333e

SHA512
aca1ca7e16049adf1b26dc8d26e99461069fd133587e748012347e66eef9bdb90fda0d197c86334667cc04b0289cfbe8fe8727eabf3bde9827a1066a71133a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\info

Filesize
14KB

MD5
8595d2a2d58310b448729e28649443d6

SHA1
08c1df6fbf692f21157b2276eb1988ac732ff93c

SHA256
27f13c4829994b214bb1a26eef474da67c521fd429536cb8421ba2f7c3e02b5f

SHA512
ae409b8f210067ac194875e8ebf6a04797df64fa92874646957b2213fb4a4f7da2427ef1ed8d35cd2832b2a065e050298bac0fc99c2a81de4a569a417c2a1037

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_close_down.bmp

Filesize
1KB

MD5
4e21b56ffc64f5bc7c4248e33801b011

SHA1
39c05ba5b899f37d90b3722e7edc02149eeb365d

SHA256
ac4eeb5c037deab4e210ad8e6c3afd1816c27a64a92dea633fe982b912e680ac

SHA512
1464a774a4e4f27a1a739f8c7b721aeb47e17b4981a3f5496f9265b996677bbb98dc3310a34a5e56eb851225fa3bcbbc233a44a0751763beb095ef23e878cbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_close_hot.bmp

Filesize
1KB

MD5
2b4492d6f63f5c41aa26de798f68b982

SHA1
2840f9587b63f203639a88731df67c22796155a9

SHA256
be759b55afdd188282204a5fb650ae8903d534a5d296278e225768415b8b8624

SHA512
fef57068682df050e5694b5fa10fc914830f9fc419c414ad156fb7fa155220d61088d1bebfe1829d95a2af3ee0d46867ecc2bc1fe78b3aeee3e648c127625f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_close_inactive.bmp

Filesize
1KB

MD5
e7952db81da0e938aae851a1927682bd

SHA1
52d937797974c2a285a1456b133024107eea351d

SHA256
834c911f88c6a063e34f29060a3fbcc95afe267d868a57625e74e76c9ff1108f

SHA512
0e7facc4181e46cc748c0a6a47df02f0a459c06440409d366c8b0fc29218d05a3c1685f071aca4e58017e7e08449a3a02a5e6ba2e06ab68e6e3234e3766ef310

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_close_normal.bmp

Filesize
1KB

MD5
8d5e21a5aabb3581d5e5a2e5907ef7fb

SHA1
f810a458cc0a28e72e65887a744ccd5be07f4b82

SHA256
5d70323dc723f965dfc29cf36e0ebafeafcf5e520d2beb905fec086ce22eefda

SHA512
86ee08e28a275d4051236dea338d5394cda2a0bb6b4fb9e7bfcc8e0403b9816221b554805fd53f7b5dfdd6eda4a8eedca23f435a510894e70e051c905953e197

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_min_down.bmp

Filesize
1KB

MD5
ba8de1a4fb2e3ca280cd7a3f72d28bcd

SHA1
4bcb1fbe1390eb0101df72725b34e364ec0cc551

SHA256
a3f47f44ad19a5e5b42204da311a883025f4f7d951bbd427edb3a20d759fc5e8

SHA512
dfc97335a12e1b33209e2dac7f222dbea7f71b93bcd6e4689dd409cbab6096c78210527f1abe0c3bb00bbe5cb38b3691b9355aa04d92975c3348b2096c141407

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_min_hot.bmp

Filesize
1KB

MD5
02f22afae35430f2092e77bf1ca577b0

SHA1
91f97b9e65a972da62fa1f1254b6d1ef1f0e80b8

SHA256
d36ecf7b57c82496e41f7f5f36fcf21be7f0c061b999c5662f18530909ab6542

SHA512
fae0d6e818c987ef1c7829301b39da098e4766b4a33bac04a7b4d42e68a3b6df3d3a6b4c3e29d31bc0cb48b541c8316d4ecc3216f6c2aa7827e2df5aa1a57786

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_min_inactive.bmp

Filesize
1KB

MD5
216e32733b99d128ba7b1de8748a5d12

SHA1
2b857cb52ce605e9b8470683468bf331a86a042d

SHA256
f856a6e498ef981476b85590200b3cba06b04c80329b434c1a3f89ba7c7240a3

SHA512
3ce39384e4e0138fcf1048819543ba6c6353ae32b597d64c06024f7bf63901d69d23ecf07fd6f754c56e5115a4dcabdb680bd98df86db5d8c729552f80be9d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4848\sys_min_normal.bmp

Filesize
1KB

MD5
eeda62be091f6ef68d9ba7d76c9cfd84

SHA1
822372b556a550dd93f931b1d115c888d611fd20

SHA256
3c746ad942bdd0a9b95414f80cd0e20c32251601a9d579bbdfdab6c9ad7414f8

SHA512
ee394717a1191ed3556ff9359d35861a475a96a14e4026f304d42156e357ec564522333ea745e90bfdcd2ee1a85a01316999ef9b601bdac47b6ed7015f0c8e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\INABAF3.tmp

Filesize
1.1MB

MD5
997c2f6dd1f62628663118a7c9c4e0f3

SHA1
5d10acf9f019083719ae4f61118054f494eb7dda

SHA256
c958d2bc34ae214a3fec0337dd877e63d68e09b8f7b98fb502fa67479474ae7d

SHA512
1a7d9eefd712df08b89c8209a04187ec802e236d25b9b71e86cf02aaf3959e6958bec942d779936389a75a190a4f859c604e5a996a852d810c704d416657c59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB34.tmp

Filesize
738KB

MD5
36cd2870d577ff917ba93c9f50f86374

SHA1
e51baf257f5a3c3cd7b68690e36945fa3284e710

SHA256
8d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8

SHA512
426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBC40.tmp

Filesize
1.1MB

MD5
7e4ef4bc701a5f46a1fee1a9fdc403f1

SHA1
ab00fc0985d7cae8ccfdae1cd4e687192f079d47

SHA256
34fe948e2b005a424f4e8aff9d9ef847d5623b99196fe5f5e9bff4983770d95a

SHA512
7f8013d024142377aad49fc2c5c30376a4b9dd6c732dbbe3d88d2377965ca9e544d7065c7ee5aa1bd9d29b51f19255335c7ac3f85b5079b1cad710dc74bb8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBD6A.tmp

Filesize
870KB

MD5
65b853552e16654c53ab4d16920a9182

SHA1
9f8182ef1b58d0d52f4faf1688d4f4e9dd8af5c5

SHA256
80c5e769470bb98c5b1ec3be0a9a51f0821c67e9adc7e3e254bbc41183ceb76f

SHA512
b56c00e78ca901738a4a067709c772cfbdf10d3a049af4e7eb6bd7a0cb0629472d7798dabb0eb82958ae90cd71acc79e5cbc3d26b0f42d3cc7cc8ec2236aa54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiBFF6.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiC007.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit