9a97197ab32aa3645c3c6e2862aec79d04c7aec015e33ab7589df6c9001f61a0

Analysis

max time kernel
43s
max time network
37s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEU_KMS_Activator_30.4.0.exe
Size

7.5MB
MD5

fa8414423461fbc180cd6bb1ddce0943
SHA1

e47d1c1bbf202bcbfc887801833ebb6ba28b03ed
SHA256

9a97197ab32aa3645c3c6e2862aec79d04c7aec015e33ab7589df6c9001f61a0
SHA512

d62af6118880cc457b21b1749fcdde5353bd761993aaa84822897732be219fb229680ca6402338fde5f4436778aa68d24a88da120fce95ac109112273ab58a1f
SSDEEP

196608:NvGacofn0nk/6RGU+cu6xYDcUT+GXGMVPNBvLDA:Nveof0nid5cu6mDhyirTA

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2216	Patch.exe
4788	HEU_KMS_Activator_30.4.0.exe
4984	7Z.EXE
4264	kms_x64.exe
1192	Process not Found

Loads dropped DLL 10 IoCs

pid	Process
2308	HEU_KMS_Activator_30.4.0.exe
2308	HEU_KMS_Activator_30.4.0.exe
2900	MsiExec.exe
1220	MsiExec.exe
1220	MsiExec.exe
1220	MsiExec.exe
1220	MsiExec.exe
2308	HEU_KMS_Activator_30.4.0.exe
4788	HEU_KMS_Activator_30.4.0.exe
4788	HEU_KMS_Activator_30.4.0.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\Z:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\H:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\G:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\J:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\T:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\W:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\S:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\V:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\N:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\X:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\P:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\U:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\Y:	HEU_KMS_Activator_30.4.0.exe
File opened (read-only)	\??\E:	msiexec.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4788-1011-0x0000000001390000-0x0000000001CB5000-memory.dmp	autoit_exe
behavioral1/memory/4264-1015-0x000000013FFC0000-0x0000000140299000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\winmgmts:\root\CIMV2	kms_x64.exe
File opened for modification	C:\Windows\System32\winmgmts:\root\cimv2	kms_x64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 4664	2216	Patch.exe	40

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000191fd-51.dat	upx
behavioral1/memory/4788-743-0x0000000001390000-0x0000000001CB5000-memory.dmp	upx
behavioral1/files/0x000500000001a504-967.dat	upx
behavioral1/memory/4788-969-0x0000000005850000-0x0000000005B29000-memory.dmp	upx
behavioral1/memory/4264-971-0x000000013FFC0000-0x0000000140299000-memory.dmp	upx
behavioral1/memory/4788-1011-0x0000000001390000-0x0000000001CB5000-memory.dmp	upx
behavioral1/memory/4264-1015-0x000000013FFC0000-0x0000000140299000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_temp_heu168yyds\pic\3-2.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\message.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\pic0\update.ico	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\3-3.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\Renewal-Close1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\HEU3040_Debug.txt	kms_x64.exe
File created	C:\Windows\_temp_heu168yyds\pic\3-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\4-2.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\pic0\left.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\Renewal-Close2.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\x86\SECOPatcher.dll	7Z.EXE
File created	C:\Windows\Installer\{1CC7FD43-1DFB-4008-BBA4-B50E90B07479}\HEU_KMS_Activator_30.4.0.exe	msiexec.exe
File created	C:\Windows\_temp_heu168yyds\KMSmini.7z	HEU_KMS_Activator_30.4.0.exe
File created	C:\Windows\_temp_heu168yyds\pic\3-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\logo.png	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\TAB4.png	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\4-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\9-2.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\pic0\ewm_wx.jpg	7Z.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\_temp_heu168yyds\pic\15-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\19-1.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\5-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\8-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\pic0\head.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\x64\cleanospp.exe	7Z.EXE
File opened for modification	C:\Windows\Installer\MSIEDAA.tmp	msiexec.exe
File opened for modification	C:\Windows\_temp_heu168yyds\pic\12-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\15-1.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\8-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\BACK6.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\pic0\update.ico	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\Office2010OSPP	HEU_KMS_Activator_30.4.0.exe
File created	C:\Windows\_temp_heu168yyds\pic\12-2.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\23-1.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\x64\SECOPatcher.dll	7Z.EXE
File opened for modification	C:\Windows\Installer\MSIEE09.tmp	msiexec.exe
File created	C:\Windows\_temp_heu168yyds\pic\14-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\21-1.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\TAB4.png	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\x86\kms.exe	7Z.EXE
File created	C:\Windows\Installer\f76ece1.ipi	msiexec.exe
File opened for modification	C:\Windows\_temp_heu168yyds\pic\BACK2.jpg	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\9-2.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\pic0\ewm_gzh.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\x64\kms_x64.exe	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\x86	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\7-2.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\BACK6.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\x86\SppExtComObjHook.dll	7Z.EXE
File created	C:\Windows\Installer\f76ecde.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEB5.tmp	msiexec.exe
File opened for modification	C:\Windows\_temp_heu168yyds\KMSmini.7z	HEU_KMS_Activator_30.4.0.exe
File created	C:\Windows\_temp_heu168yyds\pic\12-1.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\2-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\23-1.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\4-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\xml\HEU_KMS_Renewal.xml	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\x64\SppExtComObjHookARM64.dll	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\23-2.bmp	7Z.EXE
File created	C:\Windows\_temp_heu168yyds\pic\8-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\skin.png	7Z.EXE
File opened for modification	C:\Windows\_temp_heu168yyds\pic\TAB2.png	7Z.EXE

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4364	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEU_KMS_Activator_30.4.0.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	HEU_KMS_Activator_30.4.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	kms_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	kms_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	HEU_KMS_Activator_30.4.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7Z.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEU_KMS_Activator_30.4.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34DF7CC1BFD18004BB4A5BE0090B4797\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\130422FEBEBB80448A4DC6D81128AFDF	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\HEU_KMS_Activator_30.4.0\\HEU_KMS_Activator_30.4.0 1.0.0\\install\\0B07479\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList\PackageName = "HEU_KMS_Activator_30.4.0.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\HEU_KMS_Activator_30.4.0\\HEU_KMS_Activator_30.4.0 1.0.0\\install\\0B07479\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\PackageCode = "FA2EECDC30B9B5B44904E4F60008AD1A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\130422FEBEBB80448A4DC6D81128AFDF\34DF7CC1BFD18004BB4A5BE0090B4797	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34DF7CC1BFD18004BB4A5BE0090B4797	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\ProductName = "HEU_KMS_Activator_30.4.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\ProductIcon = "C:\\Windows\\Installer\\{1CC7FD43-1DFB-4008-BBA4-B50E90B07479}\\HEU_KMS_Activator_30.4.0.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34DF7CC1BFD18004BB4A5BE0090B4797\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2188	msiexec.exe
2188	msiexec.exe
4264	kms_x64.exe
4264	kms_x64.exe
4264	kms_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4264	kms_x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeSecurityPrivilege	2188	msiexec.exe
Token: SeCreateTokenPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeAssignPrimaryTokenPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeLockMemoryPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeIncreaseQuotaPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeMachineAccountPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeTcbPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSecurityPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeTakeOwnershipPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeLoadDriverPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSystemProfilePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSystemtimePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeProfSingleProcessPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeIncBasePriorityPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreatePagefilePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreatePermanentPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeBackupPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeRestorePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeShutdownPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeDebugPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeAuditPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSystemEnvironmentPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeChangeNotifyPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeRemoteShutdownPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeUndockPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSyncAgentPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeEnableDelegationPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeManageVolumePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeImpersonatePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreateGlobalPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreateTokenPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeAssignPrimaryTokenPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeLockMemoryPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeIncreaseQuotaPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeMachineAccountPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeTcbPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSecurityPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeTakeOwnershipPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeLoadDriverPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSystemProfilePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSystemtimePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeProfSingleProcessPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeIncBasePriorityPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreatePagefilePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreatePermanentPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeBackupPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeRestorePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeShutdownPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeDebugPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeAuditPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSystemEnvironmentPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeChangeNotifyPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeRemoteShutdownPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeUndockPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeSyncAgentPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeEnableDelegationPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeManageVolumePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeImpersonatePrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreateGlobalPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeCreateTokenPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeAssignPrimaryTokenPrivilege	2308	HEU_KMS_Activator_30.4.0.exe
Token: SeLockMemoryPrivilege	2308	HEU_KMS_Activator_30.4.0.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2308	HEU_KMS_Activator_30.4.0.exe
2748	msiexec.exe
2748	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2900	2188	msiexec.exe	32
PID 2188 wrote to memory of 2900	2188	msiexec.exe	32
PID 2188 wrote to memory of 2900	2188	msiexec.exe	32
PID 2188 wrote to memory of 2900	2188	msiexec.exe	32
PID 2188 wrote to memory of 2900	2188	msiexec.exe	32
PID 2188 wrote to memory of 2900	2188	msiexec.exe	32
PID 2188 wrote to memory of 2900	2188	msiexec.exe	32
PID 2308 wrote to memory of 2748	2308	HEU_KMS_Activator_30.4.0.exe	33
PID 2308 wrote to memory of 2748	2308	HEU_KMS_Activator_30.4.0.exe	33
PID 2308 wrote to memory of 2748	2308	HEU_KMS_Activator_30.4.0.exe	33
PID 2308 wrote to memory of 2748	2308	HEU_KMS_Activator_30.4.0.exe	33
PID 2308 wrote to memory of 2748	2308	HEU_KMS_Activator_30.4.0.exe	33
PID 2308 wrote to memory of 2748	2308	HEU_KMS_Activator_30.4.0.exe	33
PID 2308 wrote to memory of 2748	2308	HEU_KMS_Activator_30.4.0.exe	33
PID 2188 wrote to memory of 1220	2188	msiexec.exe	37
PID 2188 wrote to memory of 1220	2188	msiexec.exe	37
PID 2188 wrote to memory of 1220	2188	msiexec.exe	37
PID 2188 wrote to memory of 1220	2188	msiexec.exe	37
PID 2188 wrote to memory of 1220	2188	msiexec.exe	37
PID 2188 wrote to memory of 1220	2188	msiexec.exe	37
PID 2188 wrote to memory of 1220	2188	msiexec.exe	37
PID 2188 wrote to memory of 2216	2188	msiexec.exe	38
PID 2188 wrote to memory of 2216	2188	msiexec.exe	38
PID 2188 wrote to memory of 2216	2188	msiexec.exe	38
PID 2188 wrote to memory of 2216	2188	msiexec.exe	38
PID 2188 wrote to memory of 2216	2188	msiexec.exe	38
PID 2188 wrote to memory of 2216	2188	msiexec.exe	38
PID 2188 wrote to memory of 2216	2188	msiexec.exe	38
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2216 wrote to memory of 4664	2216	Patch.exe	40
PID 2188 wrote to memory of 4788	2188	msiexec.exe	42
PID 2188 wrote to memory of 4788	2188	msiexec.exe	42
PID 2188 wrote to memory of 4788	2188	msiexec.exe	42
PID 2188 wrote to memory of 4788	2188	msiexec.exe	42
PID 4788 wrote to memory of 4984	4788	HEU_KMS_Activator_30.4.0.exe	43
PID 4788 wrote to memory of 4984	4788	HEU_KMS_Activator_30.4.0.exe	43
PID 4788 wrote to memory of 4984	4788	HEU_KMS_Activator_30.4.0.exe	43
PID 4788 wrote to memory of 4984	4788	HEU_KMS_Activator_30.4.0.exe	43
PID 4788 wrote to memory of 4264	4788	HEU_KMS_Activator_30.4.0.exe	45
PID 4788 wrote to memory of 4264	4788	HEU_KMS_Activator_30.4.0.exe	45
PID 4788 wrote to memory of 4264	4788	HEU_KMS_Activator_30.4.0.exe	45
PID 4788 wrote to memory of 4264	4788	HEU_KMS_Activator_30.4.0.exe	45
PID 4264 wrote to memory of 1512	4264	kms_x64.exe	46
PID 4264 wrote to memory of 1512	4264	kms_x64.exe	46
PID 4264 wrote to memory of 1512	4264	kms_x64.exe	46
PID 1512 wrote to memory of 3148	1512	cmd.exe	48
PID 1512 wrote to memory of 3148	1512	cmd.exe	48
PID 1512 wrote to memory of 3148	1512	cmd.exe	48
PID 4264 wrote to memory of 3548	4264	kms_x64.exe	49
PID 4264 wrote to memory of 3548	4264	kms_x64.exe	49
PID 4264 wrote to memory of 3548	4264	kms_x64.exe	49
PID 3548 wrote to memory of 3632	3548	cmd.exe	51
PID 3548 wrote to memory of 3632	3548	cmd.exe	51
PID 3548 wrote to memory of 3632	3548	cmd.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_30.4.0.exe
"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_30.4.0.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0 1.0.0\install\0B07479\HEU_KMS_Activator_30.4.0.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_30.4.0.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1727716054 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99B2495124FC386ECC7DDEE122DFFEDC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5758DCA3032937F846FEDCADD4DFD942
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1220
- C:\Users\Admin\AppData\Roaming\WindowsActiveServices\Patch.exe
  "C:\Users\Admin\AppData\Roaming\WindowsActiveServices\Patch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- C:\Program Files (x86)\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0.exe
  "C:\Program Files (x86)\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\_temp_heu168yyds\7Z.EXE
    "C:\Windows\_temp_heu168yyds\7Z.EXE" x "C:\Windows\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Windows\_temp_heu168yyds"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4984
- - C:\Windows\_temp_heu168yyds\x64\kms_x64.exe
    C:\Windows\_temp_heu168yyds\x64\kms_x64.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Windows\_temp_heu168yyds\xml\wim.xml?.wsf" Win32_ComputerSystem CreationClassName
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\System32\cscript.exe
        
        C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Windows\_temp_heu168yyds\xml\wim.xml?.wsf" Win32_ComputerSystem CreationClassName
        5⤵
        
        PID:3148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Windows\_temp_heu168yyds\xml\wim.xml?.wsf" SoftwareLicensingService Version
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\System32\cscript.exe
        
        C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Windows\_temp_heu168yyds\xml\wim.xml?.wsf" SoftwareLicensingService Version
        5⤵
        
        PID:3632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc query sppsvc
      4⤵
      PID:4188
    - - C:\Windows\system32\sc.exe
        
        sc query sppsvc
        5⤵
        Launches sc.exe
        
        PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2912

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A4" "00000000000005CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ece2.rbs

Filesize
9KB

MD5
6eeecd36af31f7e6905081ba2c1a41a3

SHA1
60338d710fe664cb8d32cc3a4d954d19747a1a43

SHA256
86b2320079427e39d1981420363865e462391c58528d33a9dcb9a99d1052038d

SHA512
77c996561f4cba604924f26b7affa7610046982b6bb29970cd7f881ed382ba97bc0318fea8946b77179ec0067d35ddee63ac728c48b50dfa584eaed31a7af7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID124.tmp

Filesize
378KB

MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

Filesize
153B

MD5
32a9ba7a0390d678060ad5b584cfa805

SHA1
06077c6769fe485e4fa64dd8a7aee40921a2f480

SHA256
6b8e280024ff7ed19f3baccb633d73aa17ae686dec66d2ea1e6972364a5add3e

SHA512
54a57befd56e4f1782f962d9b3f41079bfd76bb49f0690f65405dcdd16d828284e3ecc81cb81c22bd03097bf55bafb1434af0ea0534bc7ec8a4cb6255e50eccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

Filesize
154B

MD5
d38cf51fbeec389430c27f4c5452b58d

SHA1
05d54e4f60b6f0c6d5cabeabba80a19167e9a9ca

SHA256
8011177094085cd66842e4ec1b6cf5ba1292568ffc54a8bc8fa50faf74e95441

SHA512
12d9d343f9937786d42c681237fb89fc52837ab83da9c1ae969650f5586b8665bac64bb0634cdfc68461dcb496375719930d48ecc8f019417b98a01130b284fb

Download Submit
C:\Users\Admin\AppData\Roaming\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0 1.0.0\install\0B07479\AppDataFolder\WindowsActiveServices\Patch.exe

Filesize
588KB

MD5
2afbb4562f46e981beae497935002d3c

SHA1
8ede8d5c5551a8b6237a3c04f77b6f374e7c3539

SHA256
7b949ec5f73dff9e83d9c5e8995e025940f1ed6d3b07c27923d9321ca9a42ead

SHA512
112cc4a88078bfbadc86fe9e193b09307fe076be20b2080af968c8aea2d91ba691fe418444ea22b6c7e49dab9db4bb6b121f40e1aabef4219a4d62ab6fccab54

Download Submit
C:\Users\Admin\AppData\Roaming\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0 1.0.0\install\0B07479\HEU_KMS_Activator_30.4.0.exe

Filesize
4.5MB

MD5
362ff2681b18f1c682add6f6a673bed0

SHA1
d4cb5cd27192bd0f1d0d0ca5b2f75ebd40dda4a7

SHA256
6e93c12eb4921a6fccaf4c3f52d4776ac58fc850f939827964d8458ed3c60150

SHA512
7e17ba842c340f86e2a3a164356028f44938a3c17436b5764c6c24de54be1a32c99a1571416f6e8d96ae093c243ba5a3caa2b4186db7522a8cc45ac6dab7301f

Download Submit
C:\Users\Admin\AppData\Roaming\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0 1.0.0\install\0B07479\HEU_KMS_Activator_30.4.0.msi

Filesize
1.4MB

MD5
5899fa7fc7ca7d1eb2d79830ee5b6fcf

SHA1
5ff056dc9ba5e6605996a111fab531d3b27143a0

SHA256
86e61548eaa9dc8787da0a032d560a4b11c27bc2fb200d7a9a847956ad57e546

SHA512
5f979230425425e0094a7e4432144290d1135f04795f927b20a402e067f23ec2832f7827af1e0a892cf819c37cf35e468712ea3b527a70fc41b90fd2a2c34875

Download Submit
C:\Windows\_temp_heu168yyds\KMSmini.7z

Filesize
1.9MB

MD5
59f38eb644887d28c8517302a5168d96

SHA1
2fa66fd2a1d667954f22123fbf6a512e356c1efa

SHA256
75f1feec7d2ac994868df3cdfe3dbc361976d4b3dfca1fae6e8e1362780db9f1

SHA512
a70c48086fb88b5dc06076d29ddf295a679c5426f9f4da0e5d7fbd981ae1bb5ac243d1f231be4ea99cc40e5cb5ecb704f4cfbd83321c28e5413dbb8d9e6f20b7

Download Submit
C:\Windows\_temp_heu168yyds\files.7z

Filesize
1.4MB

MD5
c7926c9b1dfe047575916f8016f36555

SHA1
88f149b25d40e4d124c45bef48a82d69fc5e7e34

SHA256
c02c302c2f9861b4120664ad32b74280a5f13dae54735ad858691837aa496888

SHA512
68e2efe32be775eff0c6c949ac5f3770be1ac9a5baabd85b73e6e0d987b4b593329d829a6cdd111379637adc81caf1cdc542d43c420c102405c239ee85cf9ec2

Download Submit
C:\Windows\_temp_heu168yyds\pic\1-1.bmp

Filesize
3KB

MD5
854fdb63b26f58d482a85f4a7d87eb75

SHA1
85c8c1571fb9af56dbf96a7e15cd0803122aeae5

SHA256
8d3b094b0984a03453f11d7d587226f4e29665e1b0e04b76f009a8e8268fe18c

SHA512
a246beb71ecd77306d88c8f07652bea65dd1fa23c75b8a70d8a7e6b3992190fc457dc20023373feac8dbcf70d80518bf0b273cd60bb9b6ee28308af4ec1c89d4

Download Submit
C:\Windows\_temp_heu168yyds\pic\1-2.bmp

Filesize
3KB

MD5
f0b50ceb08e0e47410ab0486cfe18e13

SHA1
bd1601d56040099e086555c782427a48a2da164f

SHA256
1ec1312347fee5a7cddda9d264b536f2a230de13acbd024a967ff9bd6d607a5b

SHA512
a4a2573bd5f25d47ac18b61023f5fe6e2dfe2cb7fe3f62de14c1bfebaa2a329076a7c57368b378810d37fe842f9a61ca99da8148a1c229a556ee7e871e6f3bbb

Download Submit
C:\Windows\_temp_heu168yyds\pic\12-1.bmp

Filesize
2KB

MD5
41645b59d0cd2909a8d8105a7c99dc30

SHA1
1cc51c822380290125af8c8b75d5d212a8431598

SHA256
9d7c6237e459455d792589c0d2ee7d5f02d0a62e403978d974b4049503eda4d2

SHA512
9fa54cf9ecbde966744e138b4c06ed3b49f9d2d1045e5874829526201d7a14523564f3ee5b94e444481eccf046eab1c8ca80ec95b3b733f78ec4951e70166327

Download Submit
C:\Windows\_temp_heu168yyds\pic\12-2.bmp

Filesize
2KB

MD5
8bb9fcbbae84be58619ac7e340b34f60

SHA1
5d3da5d0fa30caa4137ea0c70b9550c88da2e011

SHA256
80e1b7511127d4b36fc7f5a16fbbffeddbca2bdfc44c010d02b4657c94f3d20d

SHA512
da30e8836ef6bd315fcb6e2f911ea0bb7cdaaf2bab8dbbd5ec3ecb4dba23618b702b9b98975a79ebcfa70a458969f227886cdfd15ef866e9f2ed04c2c5374917

Download Submit
C:\Windows\_temp_heu168yyds\pic\14-1.bmp

Filesize
3KB

MD5
ea41c4b5b5a96b68758c993a24a80c38

SHA1
084cf42c7dbea5435478835a7303063f3c11ee93

SHA256
f6e73c93ce3c964a9e8969eff64bb12bd20685350b6dd8b2ef3d86f803dcbcc9

SHA512
f84d813a9bdaa16229bec71995c4e3a4dec88ca3ba2c818b1284994fb28159832f3c5b7d09301794a7ba1888d8a060a8098e6ddff599133ceb1adc3d2a6c7b5a

Download Submit
C:\Windows\_temp_heu168yyds\pic\14-2.bmp

Filesize
3KB

MD5
047f193f29ed38e689ac53bb6b879c46

SHA1
a8e62140702d55c2ba95385cd064fa96ae68888d

SHA256
fa993936d1682bbce788e759bd1b2635b987e535adab6002792d0c316df5863c

SHA512
1a5d614b22b51548ddb8c715c2a456fa3602928b5fe513d748f6c49846487e84593f062282def5ecd44889ece5e3321bc6077f7c07725c1121c9ed1f59b4ac2a

Download Submit
C:\Windows\_temp_heu168yyds\pic\15-1.bmp

Filesize
3KB

MD5
89cca5171e13d2502449433ce4b5d3fb

SHA1
0cca8a5c6578731760340cd017af3d4576c3301a

SHA256
fe17efd8e710e268b0b9c7374346e10c0e1f72927b3016c42a911d4c67e89439

SHA512
23a2d50ca72ec07d07d8b9e432d5228b84c4c94e29103d1cd8ec3856406541433e5b9efafe0c41d1e286d0372f3127b5ce709bef5a9efaa9c2f5fbb93bd39c79

Download Submit
C:\Windows\_temp_heu168yyds\pic\15-2.bmp

Filesize
3KB

MD5
d92102d6a2440521043cf675e12cf69c

SHA1
d652bba4134dd9bc5d47422c29c7a4e9cbbc4cb3

SHA256
85fba5bea5738ae5171a5807263d99ebb392719cc93dc0e10c12174bb974fbdb

SHA512
0f77ea43d1f04133ac6b6f57edafa8c8d88bb257a231e32e4563e9ff53a389f08e0479a4c8dd912509849371463181df1b1cd0367ffba35af05d5edfc7d97728

Download Submit
C:\Windows\_temp_heu168yyds\pic\17-1.bmp

Filesize
3KB

MD5
04a1525dd639c4484c7626dfa814d155

SHA1
ddd779be16a7b61450595ea34f34ef9b630ae408

SHA256
de0640c44d43a43d2726e22ef87e80d9a571fa5b1682fd743f4be395526b6fa9

SHA512
17832b959d0d346252a6d56587cae2aa43d79e9de81ff2f39913fa31f6e6607eba029cef9df3bf921a48de32ce5a7d79da272dc969f02d27a2fdea899de9b669

Download Submit
C:\Windows\_temp_heu168yyds\pic\17-2.bmp

Filesize
3KB

MD5
97a2b98d6d4296b08deb1b6b27901a4f

SHA1
63ce9dbed54795acffd5eaa0c8b4f7381aa180da

SHA256
c267701bfc6b785772abee5ac8eb83fb2c13c09385a2a2c4a1cd451a67e9cb96

SHA512
35a6ced7ab8b7b244b71e80b7a41ba86b03e846547cc18faa66ac52e613ae13d214e72995bc85654e22e86f02d905f7d59dceb419dd8d079e3c1386686f340af

Download Submit
C:\Windows\_temp_heu168yyds\pic\19-1.bmp

Filesize
536B

MD5
99ee0843080ef4a170a9ed671c9e9490

SHA1
8b745f7b5280b1b5d4e9c1471c8d84f03f42aaf8

SHA256
17614e36cd05242a0eb00e3be671efe9aecc38ae7f747f6ea876bd4d5c7fa2bb

SHA512
3598cc18ed377859f6d9dbdda10722c3b3cbf3406d188949938cef6b2b1a80fc7968f5dcad99880d2f3282dafd291b1aea24d311c77653b8f13dc01c5e41463d

Download Submit
C:\Windows\_temp_heu168yyds\pic\2-1.bmp

Filesize
3KB

MD5
ba0d1c5df80811f14e8f62177091f7c1

SHA1
51963b98bc149e7a68806362aba4cde52381ed90

SHA256
0fa23808226905ecd88a5b8575368c721b2d5d37f814c11aec2c2826e0c187b3

SHA512
ba72973d517a88dd5143bc8da5962757aebe0195a471b4c901cacd2195c927d4ff002363caa3a90c70984a5e9d725a78090a004c289bbaf91cce7909df33d8f9

Download Submit
C:\Windows\_temp_heu168yyds\pic\2-2.bmp

Filesize
3KB

MD5
95ec10b9c3d06217e5153f3df5ddd1ac

SHA1
6fa16e4e46b92cafb584f57e7963a1449a1958d4

SHA256
7d45e5be1295ba2c3ea46268346b7351ef75d3c47972859c5c2b861df45d3d46

SHA512
ff07bea9a4c52a136850cb1d1331adf1347e266c38eff6bc826d8ff0807cdf149f10d81d096bc94664455e723a0a7736f0b38615ee447b41bb22c5935cf38ca7

Download Submit
C:\Windows\_temp_heu168yyds\pic\2-3.bmp

Filesize
3KB

MD5
ef0b757a7392b76f0d44005b300ee84f

SHA1
bc032e058bd4880ea53a52cfc7a7a9242a127186

SHA256
7b7dd7223a8d8220679a53d5be91331a4ee38fa4b33ac5a7de37aa880e89139c

SHA512
bb937aaa2fe20a5b799fb429f0a718c9205b198cbbf80dadddd645586be833059486c86ad2d83b08b6465ace784d00662096879973630537907ab4ed90748dd0

Download Submit
C:\Windows\_temp_heu168yyds\pic\3-1.bmp

Filesize
3KB

MD5
9de694a8a4e2f1b473352ebabab39b6f

SHA1
d157179758ced1e150279364932aa80dd34d9338

SHA256
98b285eb57bee3614cec6c1d0037420ac7c5c4e26b6fc20d59572ea9a11cf19a

SHA512
9df3054660351b0ad4e59ad506548a4034166f776cd55a4d3392b4b65d8db8dd19db13afab4eb7ae091fa5bc9b2f4082af1a405ffd6c6939b34990e668bdf89f

Download Submit
C:\Windows\_temp_heu168yyds\pic\3-2.bmp

Filesize
3KB

MD5
2824f5ade3d18bb173b5a6e10b5933fb

SHA1
2e42fb1e7dcce77f71b47067d0b31b67f26f0e19

SHA256
9fc99137a049f69c40050c4d37d51f70e5c15872f6c2886172fb4bd071fc290b

SHA512
784c77f6673febf41ad14f790ad65edf0f6bf499c1313fc8f292c24d0070eed765dc98d188f23153e0b0ecdb6a058b41ca9445041db4c331a985b4bed8657d23

Download Submit
C:\Windows\_temp_heu168yyds\pic\3-3.bmp

Filesize
3KB

MD5
b633d8ef5dc70459ba13d81d4b7e6355

SHA1
a405b201b569f24c06ee94d1c04b67ed12c8a882

SHA256
46193fd3f44fee45b44e5c047f68944ed443717ce7060675992cb21e4ba8f366

SHA512
deeb1c3d10f85ebeb77f125d48ec9aafc02794a24f1da58ff713273bd1204601c5a71a402a40ac87adcff10194206d49ac3cb4c5bffc02dd0b29e933e4d5760d

Download Submit
C:\Windows\_temp_heu168yyds\pic\4-1.bmp

Filesize
3KB

MD5
72a3e5372444ce8ca9df741589b54ccf

SHA1
b2892bc0ca2dad39bf5e08b1cf4c46e9986a8914

SHA256
25755db2351f0b97f1d90de0b3e5967d73411eb7ae7e8404b3f2f262b1507d57

SHA512
2c734783a929d842de5541760496e92a0c990c40429b60f171c940633bfc820f72b0f7671b356f9cff7a31a0f217a990d12a330a00caaafdc35ae4f4e0a61fdf

Download Submit
C:\Windows\_temp_heu168yyds\pic\4-2.bmp

Filesize
3KB

MD5
01b7718bc37818b703ccc6ba022741b1

SHA1
9fa8996f0b37d16428afe68cc0190ab80204f384

SHA256
b396ac8d18adf6288b05b603fe377ec062ef8cc1ae3dac765b17a9662456bf31

SHA512
78aa918327a0c3cec793a8ed22bdea449006f476c3e25d401d6439cbb59a71f2c11294bad83381e81b4d4343cbb7ac6e1f5f737f7c056c0b8e9f07d491ecb903

Download Submit
C:\Windows\_temp_heu168yyds\pic\5-1.bmp

Filesize
1KB

MD5
59d1447568858647deb7bce5384af2bb

SHA1
9cb45ae311eaecf705fc557e57270bc285bcc3a5

SHA256
50dec083680509b4a2b10266d8366d36e7d044ffa9278b573c5361bcf821b5dd

SHA512
417d76b05096790e80792e637de3223d717d55ffe06dc20eadcd9c74d169f2a088ad489d001a2cf5e937eab63546424a4557841938eaeea02230cb398ecb314b

Download Submit
C:\Windows\_temp_heu168yyds\pic\5-2.bmp

Filesize
1KB

MD5
187a5d7b4c9a88face97056111af08e8

SHA1
1ee313c22cd3cc8f690bae69afc64f69a20e4a9e

SHA256
ac57b5eaf87a5f7b4d01cc253bf45afa0d7a7982f1a17bf1fca304fe0fa64af1

SHA512
615e5c7124eefcb7593ba3fce0e450a557dfe428f5242196d664b4e2806bfce9a8a35ee84eb4180c4ab5328e4d4b3569b333b8c786be28c6478d07dd9bbb9bc0

Download Submit
C:\Windows\_temp_heu168yyds\pic\6-1.bmp

Filesize
3KB

MD5
ae1495079c600e61a9d4c4ebb4386f7b

SHA1
e13db0c922636eb55ebfcd5ed5584b0ad70e64f5

SHA256
c359b6f7e6ddb6f4bd9d003ca5df4cf0b2a92d3329d95c023bead0f3b0f8234d

SHA512
aa702694c43546ba8157a44790222f2dbf85cb89858bbcfb66ed90369f88e5666fa7295c13e86fd76c386cbc830451fc7b3c0b9d13a8457decf679f59e92a7cf

Download Submit
C:\Windows\_temp_heu168yyds\pic\6-2.bmp

Filesize
3KB

MD5
8d5af3015a65ef4b4169e536c44c5b8a

SHA1
b8f414b2e812d5ccc4e2e1f2ea8e9b9dd086cdf6

SHA256
174393290f92feacf88f183b1b098c20d8df7f522505b39d6a7d011fcf67c5b7

SHA512
37f18fef44d763b427464097fabef937672da342335a0d7014e8aeeb5301b9596f5203eaadd2c6264f89494c9b1aba97e77fe689ae3244a5111dc91606f00d57

Download Submit
C:\Windows\_temp_heu168yyds\pic\7-1.bmp

Filesize
3KB

MD5
60c054f50977bac8a0a8818d6c18f971

SHA1
8e0a54833af8ef3691976e7e88ed4074b3890ee8

SHA256
14f8e2863fe89119fc146f2b826f66ac1eb84fe90c275d94b428fd259e136195

SHA512
c3a5aa0358893ad7f7520b201396a2bf50db7b63c5c81d6e0a5d3dc3b1060b1b217086b2cfdde25d531f5b71e8c04f583fd9fc8467ac525bacf2c7f93f3bafdb

Download Submit
C:\Windows\_temp_heu168yyds\pic\7-2.bmp

Filesize
3KB

MD5
68a7611db6e902227980df598bab301a

SHA1
d3f09631f5e63c85d3e1a9d351bff108522771c5

SHA256
958adf0643d2d66175955a0c450f5775c3c3b23c735ebffd680ed0e58bb583ac

SHA512
e267d3303cb78999534f9520360bff84fb2a6cefd36c8a25e1cf0f80a36ccee14d3d12d48282a4772fb0467f3715dca9214bea4bf0fdddf961002bdd1f3f0a8c

Download Submit
C:\Windows\_temp_heu168yyds\pic\8-1.bmp

Filesize
2KB

MD5
c5b21a4b4880f0055e99f271f43850c8

SHA1
0328314e727c440cdcfb9662d4b55c039763edd9

SHA256
f4586ca895ab86150f0c0c6a5bc3a0a3e28c88771cdc1fce26857deeb6d265c9

SHA512
7dd3e70e4e4d2f2bc9a7edbf29a9510b6bb0ef450069da37a1d2c0e483614ed7a363d8b2d612219d1956b81f4393591b0daa55b838e31808e2768cda7c7b9c2f

Download Submit
C:\Windows\_temp_heu168yyds\pic\8-2.bmp

Filesize
2KB

MD5
94e7dd407071c974b91c8bcc032b7efc

SHA1
6a1523b7251c39f8a24bb04aceede797a14ad7e0

SHA256
0f871fb3645cfc8a0d4b50bf47167304498b5e0a504b05b7f6ee6a684bbec1ff

SHA512
9f205ec6d150256d0a1cd68be51e59e6d89bcfcf71c8fbd375e8f492634bbaa6bd68c365f252b98841c69cec30ca93a0957b067829c5599a5fb90d47c2530b1c

Download Submit
C:\Windows\_temp_heu168yyds\pic\9-1.bmp

Filesize
2KB

MD5
50b18774ae74d388da9fae4e53d12b52

SHA1
4ae97e5d0524cdf96124231d6b41969e885c64bd

SHA256
d8e86d29c0abd96dc92fdbe4c0b7bf30367401e63ba0c1ee11a9d6f169fca8c5

SHA512
16a5d244bd3ba477ef446f9f0bf6cb0e3d71fbf7a5a292126138aa228dc1ab9e33b03d978226f98fb39729ebe73f552c7805353b5f4071e856fd6eb45f9e5d90

Download Submit
C:\Windows\_temp_heu168yyds\pic\9-2.bmp

Filesize
2KB

MD5
2adec0b854c1511e7aa2ba3fc4e5d0b1

SHA1
08e3c11325bd43e5ae2a19ac555392e6f5fbec24

SHA256
53a4c25396160d3cb27d86093acfc43c6f540d8279e4fbad1172c9e784e3b38f

SHA512
d5cd1903776786cd9d5da2d582b9122a3b310efd7a4ee7bd81406b234496067baf7a96aeaa17f9b2bed2d5964b6130e8a85459d508237804cb3a0bda0b59f76c

Download Submit
C:\Windows\_temp_heu168yyds\pic\Close.png

Filesize
2KB

MD5
aa69a5622d03dc816e0c21e9867ff487

SHA1
2b8268e2796d728a55f3d48caef467367cd47d56

SHA256
a5968242aa845300fd5d97c0727c3afccf0c94fb2654d4d185c0afc936e43c91

SHA512
747ab85849015ad02f2fb21992d80a4078531cef0757bd26bf21ff994c357b3e67b73b66c3241cfb84219fe39d2f5c21e947f5d4f7dc49b74c55b70c0dab76a8

Download Submit
C:\Windows\_temp_heu168yyds\pic\Color.png

Filesize
2KB

MD5
ad1b105d2ab470e16895f4b7d0ee8fc7

SHA1
0bc5a34bc26ea95fabf9ef69d42afedeb3a628a9

SHA256
a7f54d8a7cba923b98c239bb35f9dd7857df6a10a74ca3290b2b6ab63d76a440

SHA512
fbb0659fc9b3106ee172842c2d41b3af145f1ee054209073a88daea9fe4cb41b206d52a9ffd89614eb177e19b1bf30f4041f778cfc0c6ea0992d8451f788ee22

Download Submit
C:\Windows\_temp_heu168yyds\pic\Min.png

Filesize
2KB

MD5
cc4dd823782ec16f6f8213129a1ea431

SHA1
84dce0b452585ae84f1b368681b31e380fd0a9eb

SHA256
1e510d24e9f110513ccd329e90242c2a897bb7902fcfb02d78b5480104455a4b

SHA512
7b73e8ee9d2c326a08f63637c0c5af8e1636e1e0896448a388f5236b8d5886528a838cc0293e3b4a84096395bc5923313f9c421285f8b3b9293e1657a6e1c221

Download Submit
C:\Windows\_temp_heu168yyds\pic\Setting.png

Filesize
2KB

MD5
f41c9477a1d7f379c7d2e8d2f89b2867

SHA1
e44012b9d9cdb3eb36840e2b701f048184e79a52

SHA256
d1b457e3839c0e2816b6476e67f3714debada36b065bc915f714da97916e6d98

SHA512
f130a8f765f3f79423a2019ce815295169e76b3b740a46a80d8ebdfa00e762259dd37faf479ada508091fcf4a5112ac4962f7c01529ccd8d7f4418f2dc5c4fcb

Download Submit
C:\Windows\_temp_heu168yyds\pic\skin.png

Filesize
3KB

MD5
4c37570c6058148a4f21f773b83ae835

SHA1
55830f9bbd65fccf7153115d3eb00e7bfcc388e9

SHA256
0751e6a9e67b49a32fcad384292aaae3cf9c85baa612c14e78a6977444cfc25c

SHA512
c7eb7494a1bc2dec1aa4bfdb7f558010f16abe4d47a1a0b9db0bf72615a0106ed6f13f2ecd1e4c1eab03ce5d5d49fa40a339f75602f90fa3b74ebaa03cde35d5

Download Submit
C:\Windows\_temp_heu168yyds\pic\smart-1.bmp

Filesize
8KB

MD5
168983e9f0e889082f8ed95371fe9ad5

SHA1
9b836a6b555b487175ee7f7e7813b783b42bb435

SHA256
961bfca28d74d0a07fcb4633131d8afa9589519be0543325dce12f9876161250

SHA512
c3a0bb5d3f852a30c6491924ba17830f22a847b8e9fdbd36333279c880a686761b0ccdaa9f58ee843fd2f08d8ba76d2b9d4f2874a3c32803ee3701ca31424bd3

Download Submit
C:\Windows\_temp_heu168yyds\pic\smart-2.bmp

Filesize
8KB

MD5
c04ac04097c2ec30e2739e6447ad0a9d

SHA1
f7b52aef1a6e9a84a57ae35df9c1c54d0edfa45d

SHA256
3ff234828053a77d09ce0b9571882b3bab9912a0fdc62bb4b22df759983b9681

SHA512
f55658af0428f3c11952e29b9551528b321d93b32dbddfc6ba119dbf580baa087b738453c54d50b0b7cd14eff4ac08d2d74b0bdb1b731b4f4b610a38fd6a687d

Download Submit
C:\Windows\_temp_heu168yyds\pic\smart.bmp

Filesize
1KB

MD5
c6505158a7af9fa54e73b14998574b26

SHA1
0fad3534a4be16440656e9c6a6aa687990ab688f

SHA256
6a449a406bad7f221eabe550ee55449da30dee3d69282dea91f68cf82f4459b0

SHA512
f7c8829669d144c72ed5f223c8d4c92cc16d2d99442ea8aa8c568161399ede319bb34892fe9bc0e9ad3355d1cc1be9b79a3f797163fa1d926c2d14dfb6ab2fe7

Download Submit
\Users\Admin\AppData\Roaming\HEU_KMS_Activator_30.4.0\HEU_KMS_Activator_30.4.0 1.0.0\install\decoder.dll

Filesize
202KB

MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Windows\Installer\MSIEEB5.tmp

Filesize
567KB

MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
\Windows\_temp_heu168yyds\7Z.EXE

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Windows\_temp_heu168yyds\x64\kms_x64.exe

Filesize
1.3MB

MD5
2711afcd767ba4be72ad6b8fb91cfed3

SHA1
d66aea1097b7470c64c7654a6213928ade0800b4

SHA256
5fb8afaa234fb892e35d8cf712a08d8acacbc0bbc91dc6278b4a96d1104e8aa9

SHA512
20b6e14bd94764e1cd59cf23eeeaded732ddc01547824df40670f6c151b03aed33c254dd215cbb1ebf7a97656d8e83e00d47fe20706c11b61cd3da0f270e312b

Download Submit
memory/2216-76-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-66-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-88-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-63-0x00000000001F0000-0x0000000000288000-memory.dmp

Filesize
608KB

Download
memory/2216-82-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-92-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-86-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-104-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-128-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-94-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-64-0x0000000004180000-0x0000000004216000-memory.dmp

Filesize
600KB

Download
memory/2216-108-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-70-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-74-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-78-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-96-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-98-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-90-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-65-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-100-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-72-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-102-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-717-0x0000000004260000-0x00000000042F2000-memory.dmp

Filesize
584KB

Download
memory/2216-106-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-110-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-112-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-114-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-116-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-118-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-120-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-122-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-124-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-68-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-84-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-80-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2216-126-0x0000000004180000-0x000000000420F000-memory.dmp

Filesize
572KB

Download
memory/2308-0-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2308-718-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/4264-971-0x000000013FFC0000-0x0000000140299000-memory.dmp

Filesize
2.8MB

Download
memory/4264-1015-0x000000013FFC0000-0x0000000140299000-memory.dmp

Filesize
2.8MB

Download
memory/4664-734-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-743-0x0000000001390000-0x0000000001CB5000-memory.dmp

Filesize
9.1MB

Download
memory/4788-969-0x0000000005850000-0x0000000005B29000-memory.dmp

Filesize
2.8MB

Download
memory/4788-1011-0x0000000001390000-0x0000000001CB5000-memory.dmp

Filesize
9.1MB

Download
memory/4788-1013-0x0000000005850000-0x0000000005B29000-memory.dmp

Filesize
2.8MB

Download