64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
Size

5.2MB
MD5

65d0acf61d811450d720a10bd89db348
SHA1

576b71664a57c265fa9388fe4b5715219689fa1e
SHA256

64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3
SHA512

0dafae2d8a6d30a740a083ca227694062141a78eaec4dac60b38650b7326517a301c2256a5eb1ada08c103b0196e6c21fd4ecbb8e0adaa0985fbae1aacfa875c
SSDEEP

98304:Sg56c9Ag8GvhGx4WcNXDgHsnB+3A9exe1mkn/DJC2HFWjSbS2mVfHey:557WgP+4TNzzY3A9e6mU9C2H8jSbIt+y

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1480	7z.exe

Loads dropped DLL 3 IoCs

pid	Process
1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
1480	7z.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\a:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\k:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\o:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\s:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\w:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\v:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\g:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\j:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\m:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\q:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\u:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\t:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\z:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\d:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\e:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\i:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\l:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\n:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\p:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\E:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\b:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\h:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\r:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\y:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened (read-only)	\??\f:	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\CIMV2	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\XECUDNCD\root\cimv2	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1480	1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe	30
PID 1856 wrote to memory of 1480	1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe	30
PID 1856 wrote to memory of 1480	1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe	30
PID 1856 wrote to memory of 1480	1856	64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe	30

C:\Users\Admin\AppData\Local\Temp\64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe
"C:\Users\Admin\AppData\Local\Temp\64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\7z.exe
  C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp.\7z.exe x "C:\Users\Admin\AppData\Local\Temp\64f6bc2cceb66baa1f5ddaeace8dce0be8b040dbb6c4627674d9def4f0337ba3.exe" -y -o"C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp."
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autA86D.tmp

Filesize
2KB

MD5
bb0856429b23ab24739a9a96acc4d130

SHA1
f81eee767c7bb3671013f0eed576d797dd87abe6

SHA256
292e9486a27b9725cf0cb8d1bbf96ee800dae6cbf440824016991f50cc295085

SHA512
b0874ea409481794b9bea9a435b633634804a3272e9a962a9e1fbcbea365f980682ab00f70d7237952145b28086f013abe85b3b66308918b2c9eb1f23b5317c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.txt

Filesize
3KB

MD5
94a2376bc6e8159f3eb44e47d69f5328

SHA1
0f09f74ade00866afd07847982f95dc4400d3890

SHA256
bb5d45acf500267af3f8c91cfc29648c9d5078e75e172e06ae5e86d531ffb7d9

SHA512
485b3bfb491ce5d7744dc222284d436cd9768d856957a763955965d63e0720a34b0987bc677cf60232706421795a8139845b9d1822aab0533da28d4e133b95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\1_Mode1_3.jpg

Filesize
23KB

MD5
8088423b4258d2fd19da275db2d26007

SHA1
2c938c9b707835d9e04e3e56ce7d128e01b0e04f

SHA256
2c48d3d3394e262433e28204badc3ef0d8e319320ad2352c2363be41056b9bd3

SHA512
0410be745ba8f4db775d9894a23e2745d4081b8b49e6f638757533a2f611a370430d7bfadd078c2ce89b50257627d6c41178e38076819b6a90a3453c205893d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\1_Mode2_1.jpg

Filesize
22KB

MD5
4bb3958c16d8e5512d403fc76120b861

SHA1
4d3647b933129affe0f00b71d2aaac86fe72165a

SHA256
d4abf5fa7e6ead953c4b371cd88e3ea7f405843a7a4b3b95eefee382bbc6bc61

SHA512
6cb15dd3ac07b1b1d6d980cc72de52aa5c37edd4a33808f4ee067fef949f67ba1b41051e6bc78fa55c1a259497a80d0d186a9508b55fb78b7b389697138a210f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\1_Mode3_1.jpg

Filesize
15KB

MD5
c004bb61b683d5ae80f28cdf45098b0c

SHA1
ce3e8729691d64eeccec357dc72d514e87a54266

SHA256
fa05a70ce373c2758a07efe985de5de0f0ba5c797fef88df6e1976a9a61fed60

SHA512
f0cd631ee3571846d486a31aef16386b06472a900b191007abbb04853947d150014d0dea3683e99938d3c1dbfa94b5ff923ef1d4be092fbebcce68ab83197e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\1_Mode4_1.jpg

Filesize
27KB

MD5
9f8f686ad36b908a485dd875f05e4bc8

SHA1
75b637c7fe8923029d07ae0cb97aa2ab4a27b76b

SHA256
79a8a8d5049bc931aece1c64b102c0170d30dda8bd8208acaf88eed74ffe7511

SHA512
3eb3673587deda5cde896ddf9c8d846a9d995ebc0ab9c11979630ec03a5ae67155e266e4e9a4c0973903e969cad8768730591029d944a16a96f7fffb80611a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\2_View1_1.jpg

Filesize
7KB

MD5
a13bec6aabe4829d499461799eb4c10c

SHA1
770601e70e813fc6064b4e336853dd60543918a8

SHA256
6cd80a7cc31e23e11c07d84ad1960ad4f48b8d1241151d24bfeb91b533bce52b

SHA512
471859cf7ed4d85c570e4ce7c75cbf4aef6d8fd2293747a3fe2c8bb5945582e2b918bad68dacfe9a762fccff76d6f03d7a95a378b02a53e6ae9b1b610c078ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\2_View2_1.jpg

Filesize
1KB

MD5
66f95b5b27e5acee979fdd3490be193a

SHA1
3e24661922ba1167c098593de0a5932864d22427

SHA256
3d78c1a19b15c9af2938022a01f1ff3ad9765a0a9f79c74ef7c276173d75d3ec

SHA512
6a266190997418faf472609d71925b04b3eee6c39080c2610ac36ae9a407ed9bae7a34aa4896e06ea403f5c5806d705bbca3dfece2c102b86c88ccbdbe0df6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\2_backup_1.jpg

Filesize
11KB

MD5
40a79f9bce3a2aa12f1ffb9fc9f68bb6

SHA1
dfc795863a0b4294bb648472be0645151260caee

SHA256
4e49a0d60ac17533146918c1494c6cadd7b546e06c3b878d8019f25f26622a52

SHA512
2327a116db3fdb2d8aca1a77a5b087f29b6e6a5603f93c68b76e7dcfafcdb34dbc2c1dadd1e27c4a0e7889dc15eb81077b578f50c5406e983be5dd0bbc938a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\2_restore_1.jpg

Filesize
12KB

MD5
fa7fc2f47bc6dce7f92870294bf52bad

SHA1
2be8c37e96b4867f5f1ca0f4b5b7ee1860016466

SHA256
05a34b0be76d53d72515c351b7c30a8773a496f7c4d70e4195646352c361d59d

SHA512
1dc1143c4e7fa5fffecb6115b2414b728cd247eeef624891053ea31f80de8af6a4b29629ffdbc80b8eb3b7d30ce69dcca5c4df706352fb9ba5ef5e2f54aaf195

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Check-bg.png

Filesize
239B

MD5
afdd5acf6aace2e475a58b6c901cc36a

SHA1
d2ac66b202dd7c5f5d7c211ed655760422c772bb

SHA256
3d8eac6d182fe984d704fc5cdac0b7e84e2a85df87367fcfc7efd34aa3dca0ee

SHA512
c517c83ce47ae7ef1370e798c79635e801421244b51db462a6cc0a5e810a51b05a187c482b1a2b718ed79ba0f8bf914a892501c32ee22fbe4ced8cf077722da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Check-top.png

Filesize
222B

MD5
eed47b591756ef44844810e3136080a6

SHA1
22ac38518ac8205829ab7a86304be74e804314a8

SHA256
dc5050ad309bd811bc3bca0e4f7c5483569220de4244da1a017be8a84ef6e9ef

SHA512
d4c6a35fb58dd3aa6a2e3b0995d7b6b457cc87a58363d6860ba9301f4f4c7aac12ad716fc781fab9719e8524901fa541815a5d2dc94f8f6d26b9690d99a0b581

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Checked.jpg

Filesize
2KB

MD5
775380e313135a57bc3e33f7296f8e9f

SHA1
bc09c717e837ec40a3423722526dfadea286c89d

SHA256
90c05774a82beb2dd4b3e487a9b9bab50155b4c808205e3071e1f930eeffbc84

SHA512
3aab28405345709709efbcf2b51e97653d3de448c326db243ddaf1500da113785ac7fd8624c2fbd64bbbdc3bc2913605177729325cacb957d9b91630a94ef83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Checking1.gif

Filesize
65KB

MD5
d9d9488e40f9c1faf8409fd499aa7739

SHA1
a8088285f4d262692abfdf127bc3fbdb55686df1

SHA256
d92ebe4bedcf09621e4c9a07d1a372a4bd8746ba596b074d48651d29a6d22b44

SHA512
6dacd88117df00779c9a388ce6f3b4c81c7ab7c2b21f712d561953ce22bb4e3e0aeab98217cd57894d1dd702a4497a82cf2d70d7846cff651eebb43667bca948

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Close_1.jpg

Filesize
850B

MD5
e86a04267d947c1a0d0f157b5787a232

SHA1
8839b1267ff413de8f1d9229e538dd5cfdc5065a

SHA256
dcf4c99dab3142414890de4a570efcbb3f4757121afd1509f8f0fc95df601b00

SHA512
00485545c55fcf74f1d880631e5f8fde94dfe5267343ac2cf65b9ce74f3a75d32b702acb82c9f3f8ff7765dcd9c2c69489404c3540cca3073c2807ce72fbe904

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Min_1.jpg

Filesize
594B

MD5
705cefcd90e95ab5db12e9c26bc15bf2

SHA1
1bcad5cd141b4cac8257c5afe8de038b5b5b4272

SHA256
39e5f28be2efdf027b07e6e9dd35e32d7794fc239dc3a7571e7b8caed4997bf8

SHA512
49a375165bfc02469ea272628947dce58de1eca1945692d07ead13344de47c2d1b830a1efec90494c4713e03a00b4975efd687951bfdd04f30fb70ad6d150ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\NoneUsb-bg.jpg

Filesize
14KB

MD5
108274a46dbd3427a9b55ff5aa1cd5cc

SHA1
be6ad7353fe21fc70ca7c6811322b4adb37a7407

SHA256
761deb6a719ff5fb2c44edb4200c619907a59f1f07e6f1d2f29611916e58bb4d

SHA512
bf25b51128d451945af2e054dce25290519abba38d4b888a8e8f66f0a2e333655df0380fec8051b3bbe03c651d858f33fae0b61d2dd3783cbe0da94e0aca4115

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Point-gray.jpg

Filesize
757B

MD5
5b432f9056fc7c23eb9225e63bb7b9c2

SHA1
75c55bd11ac3c33bde396b6441bebf06f81898ac

SHA256
3f315cc976bf497927c7c1c21fb76f882e3b1facfaa2c118baa2a88d0e2ad1df

SHA512
82e424b04c7379abb0ee3fe16008ad24348e93bf9621eeceae112497240ec7ea454fc6193f7c18a417a7379ce3af9156b4cb47a20ff2381abec3230b45170de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Point-green.jpg

Filesize
497B

MD5
5dd67340140911154eae1d8c420958d7

SHA1
ff2b6abdf63423dbccd51a24b550c2ef74f7a9fc

SHA256
06e5547f5d90ce62bc2457516983ec64c514512c26d0e1bc9d24932d5cf9d2d1

SHA512
c80d62d1100e113820f566281888a1556482fcb0043be858548e31ce43fddf69efb5816ef36758915ca271dad817af7c29737b1ce82f75c825222337ec33951d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Pointm-gray.jpg

Filesize
912B

MD5
a5d3196c0a12b86689826e564775441a

SHA1
791b8ceee7b223ea21b69a4e2995aa0dacef8d99

SHA256
2933a5c833a8a13c7a673f1c9c10160e79e23326153811f5e66ef83dac9d8237

SHA512
4581ea71d5ebc65dade523d599839d7053c14e7f4b6c440f620be12a5fccb60567d52fa3503da60dcdb84a2a9123d044364f07c4e840d2f1b87b73f8dede9e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Status-completed.jpg

Filesize
11KB

MD5
4725a096b3b52fa9c1001f6d670679e5

SHA1
24522eb826932d2f63e49f854939a588d7c5ad7f

SHA256
101e12034424debeea855820afb54e56af34ed000dd31ee7f9be97619f8cd781

SHA512
b820005e312551b41483f001d55b5ebf4e1cfece23fbba3a3b099ed08c8ba0ecc61510291a4ca3054dda4b7897b38541dab2665e1cf111f693da175352a3531a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\Unselected.jpg

Filesize
8KB

MD5
006e8e23502b6f1a0663b7f895ec5474

SHA1
24b77d105fb6835068beaf418755aea36a7fbd15

SHA256
51e590099eb073b575815a12b98b416e274b44cad5e42d26ecf6e097822638e2

SHA512
5964bdc62f4842746bd7f56837ec70ea74af45a3e8736c988cb843aeea3ad76f2ff1ce2e7cd6a9ed09f07dda5f9949fa0f5086b2a663a2486e03d540bc1a1d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\bg.jpg

Filesize
32KB

MD5
16264de8792d0f674ea0e81574bd0c1e

SHA1
eb3394a05292881e9e1d544aa3e66168b809eb65

SHA256
16f39d0e75df77b08ce2a8d5bb104ac3e7d9edd9fc8b88ac188d6c001a5c7c22

SHA512
25492ed0712ac31e06aa6fdc60bda466fddc852b20b3dd1f2e2ce2f348da47ab9a75ea1e2d02ef6fc20db4a92a9951e7c5c293a41672ef660d7e8e480a042d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\btnFormat1.jpg

Filesize
20KB

MD5
7737865cb34f8b27c41fade119283946

SHA1
4ac93393bb89eba053521f3853e67163c3c2e789

SHA256
a28797a150694056ccd1bdd1421a604ac5e10bfda45a795ff3ee376dd586ad92

SHA512
5ddf14496be6dc167fc98527e59f1d0f2c865f30512f6871f2689d774e703eb4b003b33cdac673abe4fba30b4e3d934860db767e0d6e36aba010e636a3a41658

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\btnInit1.jpg

Filesize
2KB

MD5
55b84748e43928f6f6652b4d82fed9d6

SHA1
d0a646e236ed953982c46af279ffebb558f12df7

SHA256
8977e94aafa0fe6dba842ba96bc87dce96f4070f114362a691ccc3a0382cf69d

SHA512
4d49465908133eff3a1f28de132cda4a3019a24c3b94bc3c0adff450f35cc08ad59fdb4b65b18f54183296d48d5c45f2ea5aa0491f61f2ff1f8d62d93e90006b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\btnPause1.jpg

Filesize
911B

MD5
122e840115b144f345e6933076c5578d

SHA1
30f84e68844b0ff2665d40afef4d9aa64eff1458

SHA256
02357b8854e3662693aa57c28131fdfcab9ce108866e0a0de88bc38bedb08004

SHA512
cb3716adeb3f85afec78afeca44c9a50bcc7a805555c66c67bfcd52fea3fbac9860907637c2a0f716740b2f63567513738cbfc79aeda5af63866ef2dac2c38b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\btnReSelect1.jpg

Filesize
1KB

MD5
fc6a33752178f3ccc9b97e39c6b827ca

SHA1
b37bc71251dcefa91b78f4647b63f11d38f315bb

SHA256
a75f85cc41cada910ff5ee7d7c9153e9b7802046043b8f91e54278d8fc68c317

SHA512
b1db3ea665d6e74f9f2dc6bc16f46f1bba6dff3afe6b27b91a4d19ccead9618b9e57ade5f26443d510fcdc4267e8246f47696fbf3a1e64c61b47046f8c2048cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\btnSearch1.jpg

Filesize
2KB

MD5
9ceb5e119f8ad7050a729be8e86b343f

SHA1
f59522c32abf2ee7f3b7ca39ab731d4f1b27adb9

SHA256
0e429b612c2f0e9bdbf25f93ab3db59c8a4c0583c4599213b181fbd86290ba72

SHA512
7a116d578c93e40c8e8e543dcc3bfd384dd2bf13cd1c87dbae61811f78415e1b02e1c80439a03456328e846f4f8e46bcf9b311696a0a5161c732bf9e57045050

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\checkbtn1.jpg

Filesize
9KB

MD5
1c80c3361ca5f2fe6b419e05d9134e4b

SHA1
64f86d09b5e76d355c00cbe93e1c799c21a55bc4

SHA256
9f5a543d0572244e2f4fe98fb1dda7e7b97a46d33c1986a753ade75f80ea04af

SHA512
2f3dd0f46913e7afafa22c5069eea527663be5ef2d09eb7aef00b0979ef09620e337e6818a14fe3ba6b1ac23fd0effb46b619316de6a3dec8bd0022209d18ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\dSelected.jpg

Filesize
793B

MD5
71cc0c4f018573420e576a1f1b6f5896

SHA1
4602b05ed5768a60c8427c444c7360c424d1fa9f

SHA256
43c7bda7dbab57e8fa393c870b5764f45ccba24c74ae6f914a9d9b269789a66a

SHA512
1866c950f710c701b03185b8a1f586993d130d0667a083036e26f159b6ab9614772abdad542012a94511046b004cd6dec6356070788f9c51659133cbb23413dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\dbtnInstall4.jpg

Filesize
1024B

MD5
833863a587d466e4413da4de3d38a224

SHA1
d6bc62bf43700c0332977daa6f3ce23c4f44edba

SHA256
17e966f931333c08ede008295625adecd49b39c66bf8acdfab5b68dc065da8e1

SHA512
12d5b91234e7919a6711dacda643cc9a36cd2af6afd6624b1aeac239b00100847784e4e5bafa7f4380302aeab17c551852940c40a92b023b03e9bfd04d1f86bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\footer.jpg

Filesize
33KB

MD5
9405d23f09eecf1b1a9b571a72acf4b0

SHA1
38f60fcfe8f406420466c3ae0ab7c455abf6b60c

SHA256
856fbbe64cdcd486841c4d9f14d684f7b88525e95282c90d66cdc3161f257709

SHA512
e78b6702e2dea35fd684c89df07bc19a576aa7f4d4482c6f69411339e2536a9ce457e2249095e169cb222b7c1fc2fa7550f3fdc9f0fe88630e829209f9ab4db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\ghosttips.jpg

Filesize
17KB

MD5
ecbea9351178c4edbdc35311e7eb6417

SHA1
2a1a125a5c60d5e30206b42e4490505f4726d4cf

SHA256
5a6e1912d678e70776dd188dc1b0c2a2b086aa2a170ab5978c62135ffe50c605

SHA512
abbd709e2fa410a899c9f97a9cb9431de04a9b2855202255e3b8f20f31659f8e29107fb205e338e98e4c0239afa0b18606fc8697c4c647af34d43a7858dd11ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\help1.jpg

Filesize
9KB

MD5
8ba72623b8aac1b3a0786a5ec38dd352

SHA1
ac87db4c0bb35c0be95f523d565557b6bf0ca6b4

SHA256
f4a008532daa46ac2b78a0e300efc89c447f7bcd05a1e2929803a7310549852e

SHA512
cba1a816eb76b883f64db0c99933a672d7f318ad514a22bbd1589a6880bb5f908d1fe99e15ab71faea4d6920f6d253f5614034b1872cc4e3554d8e7b29951f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\home1.jpg

Filesize
12KB

MD5
b68277e6a579745be19c1422a3615cb6

SHA1
e9b5194533838dd5246749471934ce1858674ccf

SHA256
4fa75d21a8b14a8152b04573a92dc274a5b0a37722c4dca367ec2360802f81a4

SHA512
01bcc3eb44e49c92e27f2ef4f95949c299c27a082695454777f8d816bc6635fdbd7b576f2f55d8508c22d5e0937f4a598c6e227bf466fbb959921e8c60edddcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\last1.jpg

Filesize
10KB

MD5
ae03ef127180e86e85b338142738587f

SHA1
ec34ef3a3c6be104b49bde9843874c4cab5f7864

SHA256
99def805c5bb4407676753259267ca63d1c5d742027f499ef4bcc9f603c826f6

SHA512
e1f1ff270f5e25537a5742cb34e290b3612f8a6888b12c2f2e4e0fda8e7143b3f447a41ee41af85066c7a2acb498c12e5c6a8b00ecebe900edb187fe5bd1345e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\manual.jpg

Filesize
166KB

MD5
1833ed1821ffa6a1ce1f0e6e7a39be86

SHA1
2de3cfe886e22674bb0877ece2767e57d9096664

SHA256
86ee6cd9e843b5229f61f880dc6143bf1cd3624649403e8da8406a3780d08e31

SHA512
749a2b756ea703b190a464f1f58ad231bb12d73e678648035efd5e5b27d1e7bacb12fb533f5194ee23d154bcfc3d0d005e9649398c0f164ccd95428e0feabd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\next1.jpg

Filesize
17KB

MD5
e9f7a274b58ab76b581c3e6a29e6e178

SHA1
a83bfe9f3cef55af2782a3cf596173c1b6fe02ab

SHA256
69d6f1df8a7e189ece9a017f0ac40d07ca886b52db883193af5c49db96382946

SHA512
6876164964a9134c0505b0c62f3edc91d12e0bc85de591a03cfb21088dd1e5e2a913d8f159a2985f80b193d8f9ed1b20c3e19708196cf4ae191500214aacec26

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\next4.jpg

Filesize
17KB

MD5
54f4e2c64185bd1648d94a4eea613097

SHA1
1f435e1266537e7172f41022744e882f1da28ea8

SHA256
27bb56cdf94048c0282f43476393c36151d6be16a8ffaee1f055b431e5b43a4f

SHA512
e46387bbc979fa9b89256b70a0660f5b039103c52f03e765a2f6d8c8d1e5dad4829a4a242cd03f4f7354b818c6cd926ccb95bf91b68ecae9f8c401084134c1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\os1.jpg

Filesize
2KB

MD5
d04e7a2ac50eafe5ab93a825f701eb51

SHA1
a11ffd29c8f6ce13ce526c9e80acc3b4f517c66c

SHA256
2b196edb3ec150d273eaefbe8f4587af18f40d59375c7f73a89bfaa1f4d31a4f

SHA512
77af3396e8c34ef402fa6357772c126b578ff9bff1ee31351fb60180c72baf38f5ccbdb9be77f1af4e536c99b5d70753bdcbc59a9fbef6b49df8339f4cc40078

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\os14usb.jpg

Filesize
12KB

MD5
9d938e9f6aa277aaa4acd75680747267

SHA1
94bf7d2cc904ba6db95ac29191d71469ae7b65b2

SHA256
7ae01a98f275e3744dfc65bface590d0c0a0d15ec3cee9da7b7c1f428e8aeee2

SHA512
d3d1e7c2c895c29b702cc6b7f31bafcebafcc66d3432fb16064f00688302967692b3a59c93fa3769008f11a12f86b3fc0963d24ef6e1d544f881e7962db6ec8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\os2.jpg

Filesize
1KB

MD5
ac27fa22a297bd49d7c3e0e5ff52755b

SHA1
b35f15e29398bac4a65975e38099ed7495330d82

SHA256
bc5ba1774b1f4762321e532210d9dbafbab68e5da83d631bdf52aa3f51c75ca2

SHA512
8b63eef3511e6c9e943a2315c4f1d79b5299095bf2020caf9ccfc3b149692607de147f33d970a8007137e9f870e96d9a99806359e23091f98bf5b7f52e64c65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\p1.jpg

Filesize
2KB

MD5
52a43f90e070796a40661e13317ac76c

SHA1
81cfaafe8234644da507756b47b785f721c4ecc0

SHA256
e2535bc920c3efa4990036b9d12cf05b9e8d80a8a11709e5280c21daebec3f01

SHA512
f908809f6ef9228b0b0550876f28ae9cd21ffcbc5dfdc326991ad831f51d9a2f74cc11f73ee659e25b67a62aaa87d361d125a7f88416b60110103dbe876d283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\p3.jpg

Filesize
2KB

MD5
a59b053750c779de341287f3173dbaee

SHA1
62d8daa58d9a1c8a5eacc35b137f0387c73bee12

SHA256
c52c37d2622fe2ab65fd07a9b2315bec4188923ae08a29dae4c83b2223a6ec94

SHA512
3ea3c8193415523373a61fec80bd0dbdae08d24e96f5a4bdc734feb4531448c6ead1f123000d7d7106758f95eb9ed3218c44eb0e21b911b6263dc92ecee7379c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\pUnselected.jpg

Filesize
758B

MD5
56a94448496f41659c25ae8bc7482247

SHA1
af8362194075f3248cbcda3ee711be2ca3f12e95

SHA256
e0884b795e6e06216ffad5fe20e765f5ff2e5ba2b9310454028680e7c1f3d1c5

SHA512
ba2941071e7b23c645dc3a96a4d61001165707055141d986f5aba4b972e5cf14cef6cce8854f54183859441d16001607f444d2f614b853ec9bcbd7bac4f5726f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\preselecte.jpg

Filesize
19KB

MD5
64fb20b53539d043e193f88e472450c7

SHA1
89628407f434bd01e3db867b8699eed56ec6bfe2

SHA256
3f87c247e6e17f1b223cd6408b9bc0cb987a8df4ae33ae68e5f058d6b73d6b8a

SHA512
ac11430353cfc7479c597e16f11826ee9e21fd265e89e21c52ed66f72c167cc4db1c4ba21a9e76f314390bb93e59d0b156da85b51e5b38e83d1f8fee67c041ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\selected.jpg

Filesize
3KB

MD5
6acbce5a4691c1aa879d1503ef9b9f42

SHA1
054295ba86ca4736cc07614a84a1bad154f92669

SHA256
87e6b9347e0b81c7789735d5acb6bb57af375660b2d6240924a22603a8c76f7c

SHA512
75c484bb58e351415ea9c0159aab19e9c1d93036a9790ddefbc8035cbad5f1a3695ffcdcc78dcb43b6508851ff2e9870e269b874e6a3fd5230d9fbdf5251d68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\sldebar.jpg

Filesize
11KB

MD5
02cf7e7e16a91641531562201da0296c

SHA1
bfcf627fa0747013b4e0280b454516e910e5c3c9

SHA256
3a675e101ace2cb3d2b4bdbcb0ca2cf9d6a3132aae457978d3b9a8e76b1026ab

SHA512
b899a34f7f6076194c700e44f842984ad4bb078d3da81a0a213408dda0395e135ec1e133afc4afc0ecf98e2f3dc6ee1a34ff454fa4cbd7ffb1747560e35b539e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\spec.jpg

Filesize
1KB

MD5
65dea129546c2f71f15bb29b773def84

SHA1
9870b88c9c21284f1abe0a10e7ef22e720bcad00

SHA256
d8b4f729d04b43d8ade085d4f7020cc68f0b657f7a76e575abb1d205a9912183

SHA512
4cdf74a48680ecfcbc4740646532e1e7dbf2059e05df9c2a5e1dd5efae94346f6e986ce8f90072fc42d5e92102b67b94b9d986608be2fa4bcf0bc3912f0fcef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\sub1_2.jpg

Filesize
2KB

MD5
a30dec1e2b7e258094f0aaaa6e99d320

SHA1
2be56390ff196af20e7ca70ab6eafb976d089365

SHA256
64f4326ede0afa82b644337ab7f8889b2d50521edbd8685c4ba2e15b39c78343

SHA512
b5718bc399341dd892f9a5529485bcd96d9b83804dbafad129090b51d7f5f63324943dc70f374d8e2f4c6bc6b3e179282a3983f14a4de506ce1f5294f39a5490

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\sub2_1.jpg

Filesize
1KB

MD5
9d48c9405c1b08b6f76d4e80191ff6ac

SHA1
a310e2496c1104e65f2bc5e127b94718cc33aea2

SHA256
c6bd2069d4f5b77984eb1cf30612cf21bac56d0041aaa3ce9a7cf1143edd5d49

SHA512
946d2023a9400fe77db4ee05fded57db5ac08d219729b61c71abf64a38b18925879a87b511f6d63a928b09318b4cce28f5b726cd6f71adde800bb4dd07e06af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\sub3_1.jpg

Filesize
2KB

MD5
c447257b417a0b7a6ba0e5e17f3cb671

SHA1
65804bff254cc234ef3f99ee0044e39075792e5e

SHA256
6c6bcf75635054a2bd97efdfd379b01e2622a10ff7ccdf4ea653b18fa6434f60

SHA512
d137caa5f6c8edd14e88a968418387af7955813ffbad5bc534c40946e10bb336c27bc0623a48a17bc27dfe957396291488a622087feca05334978e2c37358129

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\sub4_1.jpg

Filesize
1KB

MD5
cbf5ca903a43d84a6f1b783654e0acef

SHA1
9f913405f8b82a3cb65dfbeab364011c7b51aa5b

SHA256
8a91f3789ec3244d28095ccd12d5b5bbdeb875c85e8e44470ef31c3b77b2342a

SHA512
80e2ecd1df8f586bb7df35f23b46e1787c4d277730f96effe109904938867a5de96f2935cbea5cc646630e39a64713af03b2a63bae117f058997abaa0ae45c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\sub5_1.jpg

Filesize
1KB

MD5
087c5f7e379e1aaad9d1f13ee0e9357b

SHA1
cde53fe49a563c0b428c22147071fbe79f66f5d7

SHA256
00986836fa6c6f567726ddba09745f7cc26c62309cefc7470d321e8c52f5128b

SHA512
c59c10dd7d8824d15aa81e8259d5c66b2b6340fee018152be3ad04b20dc3e8c2ab52803ca96628bf5c3440a72bdc3d328c56a353cac741c796a2768af13a1e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\usbPrompt.jpg

Filesize
24KB

MD5
9766827a733056ea03e297415e9b3d19

SHA1
504c0c03f1249d9ad2c0ca02faf1fd9d143af8ee

SHA256
2e2fc9a23618a5a6bc9f362008bbfd6df9906d98fbcdc3598681df031678641c

SHA512
a14e6091684cb2d1348bd59f89e5535b5a9a0e1ed3e9a97aad5eb8056a54cc8620d5af083bc8019b114f0049e8cc1ab107ed5fbba5547fc8dbeb23e37460405b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\usbbtnMake1.jpg

Filesize
4KB

MD5
d365966bf6f68fd4d33d9f0eb5582fcf

SHA1
58808b5a611b737882bd1af2d0a815fbc9e97d5e

SHA256
0ea9dd4cac7b712ca84f2adfbff556cc21132ec0d977bb0186ed1387f49d8c89

SHA512
2537d2cc1c3bfb6b04e53d29c6280e7d0f844069a2506da1c043d08824f48a86290cf050d401acef11640929a114cfc45b9d9566420e526311d124a009a1e98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\uzhong.png

Filesize
176B

MD5
fb45b9abf54001b63a0d093eb37b9f19

SHA1
7721fad8258dd1be65801c110fe84bed06b456ef

SHA256
e32881702957a53ffecda2edf4f015b08e75af739b1c19dbccaf037eb18dd134

SHA512
f927f17c619284ec7edf466c4efc2571cc0e7ab8710c8a683716f59115df91d4d66eb2bf3a5a9432655300181228ced301132144ccb0737257c3af64d474b997

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_ohetwxp\images\zhong.png

Filesize
2KB

MD5
33ce58e6ac3ebd8a212cfbfd122884f8

SHA1
fe29f3f40da466e6e0e5a286c3fee77024c07832

SHA256
45ca3819ae4418463ae2f301ccb6af0168724f2d1fe8a48ac95868a3f8db4341

SHA512
14bb24f128c73c20ae86ce225fc36276334275a3105d1fa7cdce83443b4a4ad2adb3103202a1881e886b4f5cf0b6eb4b7bb20e0a5c5cebc2dfcff30a9ec684cf

Download Submit
\Users\Admin\AppData\Local\Temp\xh_ohetwxp\7z.exe

Filesize
168KB

MD5
ff7a6f30a05959c05ca54d47bebb28b8

SHA1
9c4530f824314ba36c42f94810b408c74ab8b0e8

SHA256
29717709356c1c1c28339d80c97f202ab00d2d42b7e16296e5e7456056b7bb84

SHA512
bf2a8c86ed9d467ba400bd7b89a86e8a38f0b62be5625a834d8776443a6f670666db017d6927b6f0c17bed9b7065fd04e7b28af5eceeb4a21b47d7a31007e7df

Download Submit
memory/1856-489-0x00000000030B0000-0x00000000034B0000-memory.dmp

Filesize
4.0MB

Download
memory/1856-492-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1856-494-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/1856-493-0x00000000054D0000-0x000000000553F000-memory.dmp

Filesize
444KB

Download
memory/1856-490-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/1856-491-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1856-55-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1856-846-0x00000000030B0000-0x00000000034B0000-memory.dmp

Filesize
4.0MB

Download
memory/1856-847-0x00000000054D0000-0x000000000553F000-memory.dmp

Filesize
444KB

Download