bdaejec | 9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
Size

7.9MB
MD5

0e9b0cf7ad86bf6fe629240d346774fe
SHA1

f19bdc45143d471702b5c12372fbe1a707887626
SHA256

9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187
SHA512

67b42e9fba9356aaabbe73e7f282fe323303937729c23f9fe566b83f33c6e2453dc4265aae2aa350f69f0e57149efa0864ad92b366c2da6ed72aa931c86f916f
SSDEEP

98304:88sjk6EVOvx8Bz8cS8jC+lJD2jIxzzBLGYCG0VOluKWVQPcwPyU8ZZWEzLnFnG6G:uj1EUm2pEVlN2jIzk/Oyqrqw4nDzLP8

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

Processes:

resource	yara_rule
behavioral1/memory/376-49-0x0000000000BC0000-0x0000000000BC9000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x00090000000120fb-8.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

RPywbu.exe7Z.EXEkms_x64.exe

pid	Process
376	RPywbu.exe
1052	7Z.EXE
1708	kms_x64.exe

Loads dropped DLL 4 IoCs

Processes:

9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe

pid	Process
2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2640-7-0x0000000001250000-0x0000000001A42000-memory.dmp	autoit_exe
behavioral1/files/0x000400000001cfc8-533.dat	autoit_exe
behavioral1/files/0x000400000001cfc6-532.dat	autoit_exe
behavioral1/memory/2640-541-0x0000000001250000-0x0000000001A42000-memory.dmp	autoit_exe

Drops file in Program Files directory 64 IoCs

Processes:

RPywbu.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	RPywbu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	RPywbu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	RPywbu.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	RPywbu.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	RPywbu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	RPywbu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	RPywbu.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	RPywbu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	RPywbu.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	RPywbu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	RPywbu.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	RPywbu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	RPywbu.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	RPywbu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	RPywbu.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	RPywbu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	RPywbu.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\chrome_installer.exe	RPywbu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	RPywbu.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	RPywbu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	RPywbu.exe

Drops file in Windows directory 64 IoCs

Processes:

7Z.EXE9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.execmd.execmd.execmd.exe

description	ioc	Process
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\OEMDumpNET35.exe	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OffScrub.7z	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\SYNNEX.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\15-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic0\backup.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\x64\SECOPatcher.dll	7Z.EXE
File opened for modification	C:\Windows\ScriptTemp.ini	cmd.exe
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\SECCSD.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\1-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\19-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\21-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\Down.png	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\DELL.XRM-MS	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\LGE.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\YUTC.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OtherOfficeOSPP\OSPP.VBS	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\19-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\5-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\BACK3.jpg	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\HEU_Set.ini	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\FSC.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\NEC.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\emulateslic.bin	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\gr1dr5	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\10-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\kms-client.exe	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\AQUARI.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\gr1dr6	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\4-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\smart-2.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic0\ewm_gzh.jpg	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\VSCAIO.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\Color.png	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\kms_x64.exe	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\BACK2.jpg	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\TAB1.png	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\3-3.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\TAB5.png	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\STINFO.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\14-1.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\pic\8-2.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\EXC.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\DEALIN.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\HP.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\LANIX1.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\15-1.bmp	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic0\inst-tra.bmp	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\BGH.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\TOSHIB.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\TOSBYD.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\ScriptDir.ini	cmd.exe
File opened for modification	C:\Windows\_tempheukms10310852593390\x64\SppExtComObjHook.dll	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\Color.png	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\EXO.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\RM.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\OEM\emulateslic.bin	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\kms-server.exe	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
File created	C:\Windows\_tempheukms10310852593390\OEM\cert\DSGLTD.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\POSITI.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\OEM\cert\VESTEL.xrm-ms	7Z.EXE
File created	C:\Windows\_tempheukms10310852593390\pic\BACK4.jpg	7Z.EXE
File opened for modification	C:\Windows\_tempheukms10310852593390\x86	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
File opened for modification	C:\Windows\ScriptTemp.ini	cmd.exe
File created	C:\Windows\_tempheukms10310852593390\pic\17-1.bmp	7Z.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.execmd.exe9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.execmd.execmd.exeRPywbu.execmd.exekms_x64.exe7Z.EXEcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RPywbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	kms_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7Z.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	kms_x64.exe

NTFS ADS 1 IoCs

Processes:

kms_x64.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:	kms_x64.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exekms_x64.exe

pid	Process
2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
1708	kms_x64.exe
1708	kms_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kms_x64.exe

pid	Process
1708	kms_x64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7Z.EXE

description	pid	Process
Token: SeRestorePrivilege	1052	7Z.EXE
Token: 35	1052	7Z.EXE
Token: SeSecurityPrivilege	1052	7Z.EXE
Token: SeSecurityPrivilege	1052	7Z.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exeRPywbu.exekms_x64.exe

description	pid	Process	procid_target
PID 2640 wrote to memory of 376	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	30
PID 2640 wrote to memory of 376	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	30
PID 2640 wrote to memory of 376	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	30
PID 2640 wrote to memory of 376	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	30
PID 2640 wrote to memory of 2212	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	31
PID 2640 wrote to memory of 2212	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	31
PID 2640 wrote to memory of 2212	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	31
PID 2640 wrote to memory of 2212	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	31
PID 2640 wrote to memory of 2792	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	33
PID 2640 wrote to memory of 2792	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	33
PID 2640 wrote to memory of 2792	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	33
PID 2640 wrote to memory of 2792	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	33
PID 2640 wrote to memory of 2984	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	35
PID 2640 wrote to memory of 2984	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	35
PID 2640 wrote to memory of 2984	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	35
PID 2640 wrote to memory of 2984	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	35
PID 2640 wrote to memory of 2772	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	37
PID 2640 wrote to memory of 2772	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	37
PID 2640 wrote to memory of 2772	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	37
PID 2640 wrote to memory of 2772	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	37
PID 2640 wrote to memory of 2776	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	39
PID 2640 wrote to memory of 2776	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	39
PID 2640 wrote to memory of 2776	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	39
PID 2640 wrote to memory of 2776	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	39
PID 376 wrote to memory of 1140	376	RPywbu.exe	42
PID 376 wrote to memory of 1140	376	RPywbu.exe	42
PID 376 wrote to memory of 1140	376	RPywbu.exe	42
PID 376 wrote to memory of 1140	376	RPywbu.exe	42
PID 2640 wrote to memory of 1052	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	44
PID 2640 wrote to memory of 1052	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	44
PID 2640 wrote to memory of 1052	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	44
PID 2640 wrote to memory of 1052	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	44
PID 2640 wrote to memory of 2288	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	46
PID 2640 wrote to memory of 2288	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	46
PID 2640 wrote to memory of 2288	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	46
PID 2640 wrote to memory of 2288	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	46
PID 2640 wrote to memory of 2536	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	48
PID 2640 wrote to memory of 2536	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	48
PID 2640 wrote to memory of 2536	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	48
PID 2640 wrote to memory of 2536	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	48
PID 2640 wrote to memory of 1684	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	50
PID 2640 wrote to memory of 1684	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	50
PID 2640 wrote to memory of 1684	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	50
PID 2640 wrote to memory of 1684	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	50
PID 2640 wrote to memory of 1708	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	52
PID 2640 wrote to memory of 1708	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	52
PID 2640 wrote to memory of 1708	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	52
PID 2640 wrote to memory of 1708	2640	9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe	52
PID 1708 wrote to memory of 1484	1708	kms_x64.exe	53
PID 1708 wrote to memory of 1484	1708	kms_x64.exe	53
PID 1708 wrote to memory of 1484	1708	kms_x64.exe	53
PID 1708 wrote to memory of 2392	1708	kms_x64.exe	55
PID 1708 wrote to memory of 2392	1708	kms_x64.exe	55
PID 1708 wrote to memory of 2392	1708	kms_x64.exe	55

C:\Users\Admin\AppData\Local\Temp\9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe
"C:\Users\Admin\AppData\Local\Temp\9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\RPywbu.exe
  C:\Users\Admin\AppData\Local\Temp\RPywbu.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\17974eaf.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Temp=_tempheukms10310852593390 >>%windir%\ScriptTemp.ini
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo [UserAgreement] >>%windir%\ScriptTemp.ini
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo UA=NO >>%windir%\ScriptTemp.ini
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\_tempheukms10310852593390\7Z.EXE
  C:\Windows\_tempheukms10310852593390\7Z.EXE x C:\Windows\_tempheukms10310852593390\KMSmini.7z -y -oC:\Windows\_tempheukms10310852593390
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo [Direction] >%windir%\_tempheukms10310852593390\ScriptDir.ini
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Dir=C:\Users\Admin\AppData\Local\Temp >>%windir%\_tempheukms10310852593390\ScriptDir.ini
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\Sysnative;%SystemRoot%\Sysnative\Wbem;%SystemRoot\Sysnative\WindowsPowerShell\v1.0\" & echo Name=9ade9cc07927b1ec62614128eac5801b4ab5994ce753df4048dcb6509d783187.exe >>%windir%\_tempheukms10310852593390\ScriptDir.ini
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\_tempheukms10310852593390\kms_x64.exe
  C:\Windows\_tempheukms10310852593390\kms_x64.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c if exist "%SystemRoot%\Sysnative\reg.exe" (echo 1)
    3⤵
    PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\17974eaf.bat

Filesize
187B

MD5
defdd4c7e19aa7a68edbe8a56dd43726

SHA1
1afe9484e206988b961c7f3631df16e1539aec5b

SHA256
5ebf6781050cb9486c88b5542c9c0b3cc8a952f4d3740639cc6484cf5c915ed6

SHA512
a2381ce2c1a3b2e3013e1b40eceb2fcea33a0049677e740630403b7e5be51c625dd99797eb2db56320bf2950b021a75d3017b2497568851ba92c17f3fb506a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F81BC6.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RPywbu.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Windows\ScriptTemp.ini

Filesize
42B

MD5
5f23000324f4a16d88e77b44f7fb470e

SHA1
05a4aaa3ced58ee929e9e9f8ab64deff79e87bdd

SHA256
df0e9ecdf01f83a2baa1864b82a7e031857ea915aabd38a562432b705cdd4143

SHA512
e5096a50af396883a32b82bc3120063ddaffa0d9d40c5f2e50087cf4c1b02e7c791c528e3b22659ef5e88772516f0361ba01054a5acc453d3292ddbee6eb5b0e

Download Submit
C:\Windows\ScriptTemp.ini

Filesize
60B

MD5
3618f16be960c62f048e9e9dd951195e

SHA1
f85eb1525ee625c1726395d5d260a895a4e961d3

SHA256
4cfddc9f656e9f0bf2a3aff8a7fd878fbdade7e5c58f1fa0149ba5d91b08e759

SHA512
7ee7193b0f62db92bce1da91bdbd30da3bba40bd678f6ca49257a6c8229c81422ee8c429236085a99eb04432f822f52812a8797af62a006ef03980336b5b23e6

Download Submit
C:\Windows\ScriptTemp.ini

Filesize
68B

MD5
a914fcf65b4c710954d37ec030d7ce18

SHA1
225c39487c40e4e2b0c15839beed1e3ebfab4bf5

SHA256
59108620f95ded1b9bfd1639dae885c3bb400c80e98cd7c2b746cf15a73634f1

SHA512
f68d70efa4eca4976a4e68da6e30b06b1a81a8d623806ad11b9bfcb6a2d272c152934688d296e04ed44a9a6fb29e18038575f1c9dc8bf5d45241c54c0c8b0765

Download Submit
C:\Windows\ScriptTemp.ini

Filesize
69B

MD5
2b4335975100a6a41dabd7a2710a86ee

SHA1
9f3e8e55b6dc83da7a596e9fc1d44a2705f4bffd

SHA256
f07c9f7af6814bd8cdb52a8904e15be101be876e3c8467d3b1391e25b2451551

SHA512
182a0f43e5669d173dd7bf78662feedc7ab7e46799e18008d05a2cc1454b92f1dd63b5229779985146caff64c059d51f5538ebe611dee2e85a550582a3a4d526

Download Submit
C:\Windows\_tempheukms10310852593390\DigitalLicence.7z

Filesize
489KB

MD5
1843ab0c616447ada3a452f01bc0df8e

SHA1
1f40068bc1ad5469768752f7b25c07b2567871c4

SHA256
67b0363a14716d81a7322f229b634ffa61161f80260d0e0c16af5a18bbae2b91

SHA512
153d5eec9a73d63b12d0089cd25c70f5a2c740eeb138a73beb096049693a685c08c8d605e536449cd7b1e0341796f3f1a3cfbc4d9ba9681c3390cd7041b92425

Download Submit
C:\Windows\_tempheukms10310852593390\HEU_Configuration.ini

Filesize
2KB

MD5
b74971f1fe581cf08e8f69124f5f2bcd

SHA1
dc56ff99d0204bd44928a925054f52d1c38c68f1

SHA256
b7dea91768212bc915345f82b9165f3bdef0f4333ea6738ac800758296fb5b00

SHA512
dd66bf6d9a03eb10027ae739ab2a97a481fca8778a4a5546275a2e266fd022b1e02b91d3e2d37d86b6c4bb7d895575b0b4cfa6d7c8289ff635246585fbde366c

Download Submit
C:\Windows\_tempheukms10310852593390\HEU_KMS_Renewal.xml

Filesize
2KB

MD5
a381b30e51ac126f51f421e082de0ea7

SHA1
5f847e828bd7b5dd0d02f4c505fcb084c69b068c

SHA256
84de47c26a7379ef5c31ad5452372e7477bfb739e2684d31c0db22cbed56d401

SHA512
89cacee08884390f06f79e4e41481eb90363099aa7da960ee3cef8cfcef03623105fe0be7ad2c88077b42ebc5efb21e5d713607850f48a191708298f34323180

Download Submit
C:\Windows\_tempheukms10310852593390\HEU_Set.ini

Filesize
47B

MD5
5251be66b4b2d836e6ecf183a3ae83e6

SHA1
e0f941232d0c3ba8906ca12b9de31d9b95495503

SHA256
eaed66f92ebdcc94dcf567a7e20ecff799751ded4cf563dc633c5bc13cfe3dc7

SHA512
bc996a2ff9bb8d2c9caefcff37449bb757a9b1c70bdf5473ac4fe45f6ba6d00c8d3efbc9d40b6421e12a28314515e3186625f73c2f017e3ca51bf1fc433b3a20

Download Submit
C:\Windows\_tempheukms10310852593390\KMSmini.7z

Filesize
3.0MB

MD5
ce5e27ce89d41f1a2646fc87a3eaf7e9

SHA1
d71093da1263e97df98b6c4de32808edb23557ac

SHA256
71ae4eff575b32092c2e8a57a2902ea077ec425dd6ae0fff2f5102983e172507

SHA512
96b1434a37ba840613812531c9c8d104d2834934c428db9fa45a4c802092e5fd854493772f6c62fcbac6cf8aaae4c288e0c17b3f73bc4eb82c4dd52ce38c3521

Download Submit
C:\Windows\_tempheukms10310852593390\OffScrub.7z

Filesize
753KB

MD5
e8e6d756ed63eac2ec255985387fc2ef

SHA1
fb63e46ba299f3f6e73eb9e67048ea4bd8852121

SHA256
6de58bcf17094a22a7a528a2a5697025c534c8bad5e701afc547a35cc4a21508

SHA512
ecf1f25f8f8ed30da144a1d5eeef34c9900d0d2958bccbffa04347a6767bb4882b83397a7d1986be85300afdd3b5cc6bbff836452a136b25319ff28c9b00b683

Download Submit
C:\Windows\_tempheukms10310852593390\ScriptDir.ini

Filesize
54B

MD5
8ae2dae3a0651c88dc193f63deb0cdee

SHA1
4466469ed06e699dd8647263c4060fec752c5cc0

SHA256
b70662ce78f1b79d25502b40e95718f6f118ff4526f7e8153adf785e90e11f50

SHA512
1440888a5703c818053a3e7de13410e65dde4500ccfba3e1161eca05244fe5f4a7309fc1e20fddfdedfb669fdb0ec3ca6577a5f42b4400c06b1205e6929f9058

Download Submit
C:\Windows\_tempheukms10310852593390\ScriptDir.ini

Filesize
130B

MD5
14fd6f76c98904e1eadcf4d2276c6925

SHA1
bde3350f701260472b330eaa232b1a257b811dc5

SHA256
1fe3372703902bdcd8f075790d6e4f3a4998696fc9b1d2403172bd7f67a33fae

SHA512
e55eb7616f3a8e5a441c7544002ee149d2915782f366ec98ec9806bd34c78d5fb5b9318d40f43a115c2b22d5963a058b6233ce963c3b089ee73a627a46344eac

Download Submit
C:\Windows\_tempheukms10310852593390\SetupComplete.data

Filesize
173B

MD5
13e06d184fff389461413b492bdee1f8

SHA1
3977c70724a67be800f9b6cdce67fe78fec9adc6

SHA256
c7a8b216ba576b07cad119be0c82be0180d8e55bb254102ff3efd46b4b7c8036

SHA512
ad6e766eb8125918dfd4e9ab8cd51de1120c084f0f9571132a3007c01397e953f0fdd0dbc9f246b32fc7fc406941794ef1c8dabd613d28c2f6419f21738fa3df

Download Submit
C:\Windows\_tempheukms10310852593390\SvcTrigger.xml

Filesize
4KB

MD5
ade0007995da8218a924eae18dd5ffa4

SHA1
de4480d869df4e45e666e3ba74c87786d2ba01e9

SHA256
6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352

SHA512
25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95

Download Submit
C:\Windows\_tempheukms10310852593390\cert.7z

Filesize
595KB

MD5
5ffd2c6dc5dc2dc07fe5cd45448061f1

SHA1
a08c603c23a0fab43cd3903042de8c2c3cd26322

SHA256
7fd98aab6bac7b6264b2ef3ba7818c0521ef02793631f9d23e28929804bab325

SHA512
aec152ec9cce0917256a7d3fce49ae3cec43abd0dbffdde25a2eda52cd4bb6eee55f63a2169680a7b4b0e6c0792514f70bb1d0e397f627e87399b67ca4a0a61a

Download Submit
C:\Windows\_tempheukms10310852593390\digital.7z

Filesize
1.4MB

MD5
caf71eb57c23ce0d6703414893aed947

SHA1
25283ba2bc76b5af929e52a15de057198b843f6f

SHA256
7541ec02a4cbd62690d9aeb06d922a7382bcbfd7d17578a9b69cff3868b096da

SHA512
df3866bf09bd97c70d1f2488462f7c739043f8816192e7b734a70fcb8a377465aaf17799392d7ac173b090374f52ff71f6b7bd7a18ef9295452098720b26b87c

Download Submit
C:\Windows\_tempheukms10310852593390\kms-client.exe

Filesize
52KB

MD5
a83db3ac36bf6c660518ea41f6db700c

SHA1
2b98346e8737e50b63e14da9989aba8b61e99ce6

SHA256
47f5b3bbb071fda3f0540e1658a9d08d6526bfe2525288a1ba0c6d093a16bbf2

SHA512
e88b81c70059881fbb518719366a73e47db753b409391cf710c89c2e7f19e396d012a1a98ffb4fc9d78dc8ba96051234ce6255c1a6fb8548f0b66b1b0e8987d2

Download Submit
C:\Windows\_tempheukms10310852593390\kms-server.exe

Filesize
39KB

MD5
fb8202b9093d817326b3102ef4157964

SHA1
ee874efe4712035329c0a8e04a67556a8b8ac56f

SHA256
e9b964b13f6363997fb27078e2a21ee7f73cdaa0100aa29db45e63c5aa3220ce

SHA512
bb0dd7da730a5229e332802f320d7ca9d220612cd22d8463578d492d4fb4a8ebf9d67587ad28d1147a17e91ce85af32ab7bf46583713590a09c61d7a3eb0cb0a

Download Submit
C:\Windows\_tempheukms10310852593390\kms.exe

Filesize
1.6MB

MD5
33c913ac3a57693a7234db5c626aa077

SHA1
aa127d2a8202fe454b3b33b19a8c15f169ee145b

SHA256
69e753646da6d8a980915d7a6391d90ba4af99ccebf5f322f23a658538c7716a

SHA512
b2de904b02462e7dbdf994ef4f769488cf037aa9d00111822e009994ada12a8ff78fce8098b4b57540e665592c853c579aaf2dd996bd10a0cb41f266e75bed4f

Download Submit
C:\Windows\_tempheukms10310852593390\kms_x64.exe

Filesize
1.7MB

MD5
3fb13a57a0dccc1923be05c26ed83366

SHA1
1c57b7b234de7b040c91dbe44d7643ba639f9de7

SHA256
5a545e967e35104f1c46032bd562eaf7c3a0b655a2b1f9214cf3972b53102336

SHA512
4d0db91a00877f1f5bfb827368a204d8b02ba7764c77a4d26f19643b1c3e21cb34d77d45ebbf444ada003c87dc4d9f85be5005398471e06b09cff64d40a4301e

Download Submit
C:\Windows\_tempheukms10310852593390\pic\1-1.bmp

Filesize
3KB

MD5
e0833d8bcd690690ef879ce9ba3c11c6

SHA1
135a54bbc8ee0985ed461cadb5f047595e200a56

SHA256
aa14bda30d6e8d2a7b16bb3fec8262baa3736986edefd054689f4efe530aa71f

SHA512
efac0a3e3be8888a1600682e1a9eb87da741f8be26ba755341640e866d88b3241b5c00b25218ea67fd9030c0b03554b7ca2702d65cff45377b1a7a64a8d58452

Download Submit
C:\Windows\_tempheukms10310852593390\pic\1-2.bmp

Filesize
3KB

MD5
3cb5c501213ab8c6cfe12fd92b529143

SHA1
90acb219726556f2f4bcf831a56240c61dc518f8

SHA256
e1ed58b8341b07f1f1eb9dd379206d4b81acefc1f7a487b77c79c3ed2886e33b

SHA512
9b925efda06bbb358f7cdb9a29bda2c411a5260445cf7286755dfbfec54eb413e34759f89a329361fd20dbc39df576f35fe81bf5138070a3f3cb0525ac4681f6

Download Submit
C:\Windows\_tempheukms10310852593390\pic\10-1.bmp

Filesize
4KB

MD5
88aec5f3833949da9c9e1a75fb1f7be6

SHA1
a4db450392cd24a8d258cec86657d539d6170dc3

SHA256
d8989332a09e0f0d099ec3cc50bb95a9b9b4b2aeb2d735f0d1a4ffd8ed5f246a

SHA512
78422f2ed32dfbc80896062a10e5d58d8d8b4dff11db9714e036621c5ccd44c3551d3988f10a03ab80ccbbaa5a6a3d45cd68c307a3b87a6e5161aca8d3c2416c

Download Submit
C:\Windows\_tempheukms10310852593390\pic\10-2.bmp

Filesize
4KB

MD5
808072808e6ffff8ccd6f6878476e5a6

SHA1
56871b1ec67c978fcbbc07fa7a8d63bcae947c6d

SHA256
0a5aca420d69bc4752fc52825a5cdf5017f15e55c05e1a014c3eb01dcff4c6e6

SHA512
e92960656339e0a8923941f15fe6537d64d0e1b43c89e4c01c99d8a01055bd50c247f52f7debdc60ced725406f8589d0387d7a3f48e381956b88b8331869b231

Download Submit
C:\Windows\_tempheukms10310852593390\pic\10-3.bmp

Filesize
4KB

MD5
14069ab8547a7aeb723b2786c2487587

SHA1
0a2b3f915496a5a75ef693adfbc8fd07c9cd8850

SHA256
db79399797d374cca31c7dbc4b8e16b03f5d0e75b9c903dd6b4cf18726a51098

SHA512
3ce4bf7992146de13a110298b066b0f27c5c1c583450a074c347d6df6ca867b0a7779b61bb4466cf7d78776c458dbf51a631da449a3886a08d801b870baeea13

Download Submit
C:\Windows\_tempheukms10310852593390\pic\11-1.bmp

Filesize
4KB

MD5
9dfc76f1fac5fe605e230474cb81b7b6

SHA1
bc1b282c5cf378869ef79a10111cae1736e53e50

SHA256
0505c7edfb2bb0823c34242a45ac8e60e1867dbb6a102114041a97c0d643e033

SHA512
69e8d06b584b2f496e329fe392bfa28961c707406a8e1a694a7fc72b3e9e078ff1c68fe5a914518278b26f05f6549337fcfc9c38c9a778f32d13e6f429f92be8

Download Submit
C:\Windows\_tempheukms10310852593390\pic\11-2.bmp

Filesize
4KB

MD5
a317949559be707aa631a95adeb810af

SHA1
d778104b63e4ccd96d34b3739d23137457f1499e

SHA256
5de82be4f8d7b6b949ddf2fa8e9240dde10f61fa405d12c48b7f3948e8ee68fb

SHA512
caf218d76dee6f44845d4280957cb8b85401f1e884795fe91300d92f11096c74604d3a46b79d7119d77f124e63606d794adbe90a66f52f614f7a65715302428e

Download Submit
C:\Windows\_tempheukms10310852593390\pic\12-1.bmp

Filesize
4KB

MD5
68bcbaa656e0bab9290d91a2d33827b7

SHA1
5c8f9d106b5fdce45d1156370e095e60d63dddb3

SHA256
33adbe2110ec619b21b30fb9463fea603a26a29c8a285ca8ffb7e2ac8c3ca019

SHA512
5c7a75cdbdeb6314b68bb342aa4847543c9c5204e6c810d35e3cb6ad470689ee5745f941c594425f7c1516208e33d8b53ccfaea0e4e9661d8084dc91d740c68e

Download Submit
C:\Windows\_tempheukms10310852593390\pic\12-2.bmp

Filesize
4KB

MD5
a833b05a3ff4fef229bf73285bc6efb8

SHA1
f0095103468e14f2faa0b8f88301dcb4a125534a

SHA256
1fbe4d4310ae3755db6fe4a8c29960387554109f78419610e4f173fdc609ccd3

SHA512
7acb5411b7e67c962e7b0bd4c49a7f851a78290c76689ddf572c91dc4896b243aa7fe2f71efeb595193e933c3972eefbcb71e810bf4b2dfcada0dc24e2867291

Download Submit
C:\Windows\_tempheukms10310852593390\pic\13-2.bmp

Filesize
4KB

MD5
e1e9e4fb69edbdbf0cc86daa07f5062f

SHA1
aabef4703f152cf152d3eac45aafb3c60e3b60e3

SHA256
f0a92c1281bfc97153d666adda9aad665ba649e71aa739d8b9d71a8682b64ff8

SHA512
ea743c0c79e15bf99eb2044346ea61e51456a386f5a0e95949db8ae5799b93819f84eec5f0da4a72a52c0a792f95d57f8e0a9c2edf717ee93c4a6737d92ab74e

Download Submit
C:\Windows\_tempheukms10310852593390\pic\19-1.bmp

Filesize
536B

MD5
addd7eaef8a73b1178c103661e17feff

SHA1
e62d9fc0e837c1f365385488e11df2677547f0a6

SHA256
0dc79af8aba2990023f45a6afae6e081e0dbd65b09b3790ad9ad91053b985ad1

SHA512
17639a0a6c0a779c67c23bc4f708f4fc98c03888219f9e7f6bb60ee166e16246a10b31e61fdd119d7d9fa32a6d9d8b2fb9d34786a93412cbdd7db467c133da63

Download Submit
C:\Windows\_tempheukms10310852593390\pic\2-1.bmp

Filesize
3KB

MD5
afb60ed1ff996a85f0e7cbff94248ae4

SHA1
c62f805d42e7d9a70af8d66d6e226351e9907962

SHA256
546932dfd2f371720662d977bdf20a826d29f39354135b4f65ed06eac4fa7119

SHA512
c1ca4710ba01e96c4a28c3a23cae6073f1d59ca070c20ca3b25541525f75212cceb2327b8e99b4d321f5522535c86206ebe58e7a96d15749ca29f501c34fb22b

Download Submit
C:\Windows\_tempheukms10310852593390\pic\2-2.bmp

Filesize
3KB

MD5
fa2a0513abd15f913c8cb2baca80085c

SHA1
80386b9a0efa1149334f9917578316f9dd943c84

SHA256
a02b832b8576ba7973e78aa70e482443110a5c681b4d9ce9a32c99cd2889582e

SHA512
77b602b31b9958af757b168f41718e52707869ae7b275bd0f37d58ebbbef1cdb9db8bec2b84642783ddebdf4da06a45d48c6f28c33118ab372efd7b727124e1e

Download Submit
C:\Windows\_tempheukms10310852593390\pic\2-3.bmp

Filesize
3KB

MD5
f4dc67e990a6e81e5b27d5a883ea93c5

SHA1
9e26590186bda1174c69ed2572074794d522e096

SHA256
5a9b4aac61c2f7ac2e4e65030bd40d7323402c1a2b0cb65a92bab84224787e9f

SHA512
d6ca29df6a4189aa751e122016f16f6ef46ffef56bf6e01017fdde5acd85fec6bc965c8809044dea13a59b3e652bf2da857211cb59a56b3cc7534e2e974b7749

Download Submit
C:\Windows\_tempheukms10310852593390\pic\3-1.bmp

Filesize
3KB

MD5
eb844a94dba2c7db8b3d5d358826bfa1

SHA1
89b84a0e2d4d2e59f0916cb7eff8178f0f109f46

SHA256
42e6e8e78c5a13b195140952cda5bd6468d7e14ef0c2cf081839941fe6426ce8

SHA512
e75c572766afbc9225a23c33a0f08ffd10ac15cf9bcdfad0060f347894f3be76633600d863acf97ebc9f9c4ede6d58988c05b1f0f2856a9f2eaae5e25ff152e7

Download Submit
C:\Windows\_tempheukms10310852593390\pic\3-2.bmp

Filesize
3KB

MD5
f58f7c0d4e9543501fc24c7c40d05749

SHA1
bab6cacc75236d306b3f7b7c5c7983694577fa20

SHA256
af281d2a72d60d2270d24bc75ad4ade7f2dc27eaeb207122f19cd9ee12d39df6

SHA512
ac7f2ab63a22a501e6ab3baf6f6995e01ec04df4db13c818bb445e9d5323bacd39b72bd9d3909ef175c4c5f4456914b7abc02e4a4a6353b5f5b1346e1a026515

Download Submit
C:\Windows\_tempheukms10310852593390\pic\3-3.bmp

Filesize
3KB

MD5
6bced572118957cdbb06e3ea7edfb1b1

SHA1
c844b3a797052062a41c93344df10e7c0c000d49

SHA256
1e33d33c3a829d7919e5bb6980a2677641d3cfbdb844347be8ba82f8445e07fa

SHA512
e52c8074b8d239a5f756a13221b66d91e0428ec12d2a785bbb98935ccb7eb2ca9f53a5fbe54a87d5631b8cabbb67076caafd520b428231cf9bce0e3c7b23569f

Download Submit
C:\Windows\_tempheukms10310852593390\pic\4-1.bmp

Filesize
3KB

MD5
5ce46152706f7d7b5d48a088cd15a8a6

SHA1
f7fbce4fd7e646a6889b80d58f2b1292d6f9e680

SHA256
d7d93929f032db7a0b6b11f09e58ee3d2260c45f2861ffb95753a983d34ec337

SHA512
392443e7959098c653ae9640c59734ab51784f6e0af142a280a44359c0238ab4d8c9fb255797f0f3e64612c133e18e12bd0b1341f661dd65e54c7bec05a4829f

Download Submit
C:\Windows\_tempheukms10310852593390\pic\4-2.bmp

Filesize
3KB

MD5
751e2e1ca20bfc4b662084638ecc15c1

SHA1
a010d6551bb2c40ccb7fff9a7782df06df7716aa

SHA256
3e6fdd20c78c83596568133f651c209c9f1ecd98e8698f209b27736343767314

SHA512
7e09e7f70ead62b1265b5fdb972a1c7a2fe2a318e90ce4d630fb7b999498f2fc9909439177ff03eb7970106bc5fc7ea083a8498d0917ccb8a3d965cac74b0fd6

Download Submit
C:\Windows\_tempheukms10310852593390\pic\5-1.bmp

Filesize
2KB

MD5
6ea083bd67cd3a4433476ec617312af9

SHA1
84ef840c98fc31bc93ad04cb0875dd1042168c64

SHA256
57759d7ebb145fe8d3ca830f563ddad615a12ca569f0e0e44c2db471dabbe00e

SHA512
5f18cabc3b50a3d4f193423f211071a2e4d17a1325593892deb8282344745133e7b688bedcb4a015c0163a473c36b696728348303ee1c66d4debf59cdbbe9063

Download Submit
C:\Windows\_tempheukms10310852593390\pic\5-2.bmp

Filesize
2KB

MD5
56c1052619ced459ac5869cdd5e85cd2

SHA1
1db42703988b429f035b0b433461950e85ca7346

SHA256
d356d45501bffe21e0e9587022f5fc01f31db5a96715f72ec216a52a94453dcd

SHA512
161ec85d0d54d70f2126ca41a5be7308c18c8d05aaff6127fdee50e937749b2cf721423a8da858ab250e83a16cb7827e9583b8d56343ca0b5eb263acf5c3f2c3

Download Submit
C:\Windows\_tempheukms10310852593390\pic\6-1.bmp

Filesize
3KB

MD5
d2dde87b25bf39f9f3a6d53ee490c44c

SHA1
5eec04addcb350fc436a67841dd159784f417279

SHA256
2a15651060e3a526e84ce8ea31f08b879ff578f4e280cd9476cbabaee298d138

SHA512
82f08e247582b81436504e71ce40efd7afe254aef8bbc0812bd545c8c908729909890d57641727febdf35163b832066537317eed8b1c1c2cced0cba7f6fa8b06

Download Submit
C:\Windows\_tempheukms10310852593390\pic\6-2.bmp

Filesize
3KB

MD5
83feb1292d3c5ca59bf6ff471fc57442

SHA1
b9d793a81321ab9474c357408fa4fff11cceb79d

SHA256
e81611c330c9e4d9547c79336335a3edfca4297add5ad55d221dc77c5bf94ab2

SHA512
1aad3cb84db641d9500d09a530b358d7e41410f030984f50278bee89ca2dbdfb21a2c77482952e70f3f582f154912790b3c18376c97f3c7cec9bcce33c9b5f0c

Download Submit
C:\Windows\_tempheukms10310852593390\pic\7-1.bmp

Filesize
3KB

MD5
de93e767f60320ca8bef2754f3ee0e6a

SHA1
5b20b939db7a62de09595b93234600c50b6587ea

SHA256
8984d81be5dcd0d7472c175e65a7f4c083340b4e32878e32693aeaae6228e492

SHA512
8fd2de6e167ec500682cdaa5aaad0a10757103c55f900e7474bc502dfd03776bdf3807b46e87e8ef030b743ed998b0ca8384128da74f9f9e967fc8996a78640e

Download Submit
C:\Windows\_tempheukms10310852593390\pic\7-2.bmp

Filesize
3KB

MD5
23b3c0b4445d30081d5d2d7d1ea46509

SHA1
2b2750baff4b0b501061b8bbba5c898b6164130b

SHA256
b4d5349fd6313734ff0f79c1f559fcd82712aab463393cc7f595279065fdde26

SHA512
e400f12e5252c5490fac427a635d011f8c6226ce13552566a44afb842781edd214fe18dc698f6fa9089e3e095d9dd466e76278fa213240fc3301f79abc0c28ce

Download Submit
C:\Windows\_tempheukms10310852593390\pic\8-1.bmp

Filesize
4KB

MD5
17a27e0183f025009e0e9ee49d7de45d

SHA1
77da51103a60338e10c10fd13d74164e0b2f1849

SHA256
e1e763a89dcc1d346516a9123580c8e540b47062dbc4d666036fb0967bf08306

SHA512
1b88c3bc2bc01f056ff16d3e10f22d6d435c3c70142e8dba90d59b2294c335da70d806e19b08b7a649b017c87515855cb2a4da362bea8a86cd7ea93a834e2b34

Download Submit
C:\Windows\_tempheukms10310852593390\pic\8-2.bmp

Filesize
4KB

MD5
adee5867f985b7e4c11a4433dd225b1d

SHA1
6c0b57835210c7a9909aae95796b0e1da6ed63f9

SHA256
303f15369554d1e285b4a90581d45a86081d3700895b387263b5bdff46ceb687

SHA512
1677144c620083b5894a285cc32cc5a552f792e489a7183b0793336d7dfd100aaeaef4295815cf966ab41998bcc9d5bb0a2e95e2f3053d7d8c39909ed4526b93

Download Submit
C:\Windows\_tempheukms10310852593390\pic\9-1.bmp

Filesize
4KB

MD5
043d647ae29e9dd859ddba50d204c5ff

SHA1
af1f095cb9a1fcc838a5ea5975601358967be197

SHA256
0cc4107a5b9319de1b332ffae35b60476273b0bdb3679312087043eb77d7e95d

SHA512
5dfaf6b6d872f6257974910908ca8a2e9a254b87cbc1cbbbf7d9c7d1fd11471ee3be54f42da403fc7162b80522199c4f0472c10542ecddc0ae9f91ed1a525885

Download Submit
C:\Windows\_tempheukms10310852593390\pic\9-2.bmp

Filesize
4KB

MD5
86c160c68d550b7a2acb6b46c0fdd25a

SHA1
b2ec02ca7d571d2907ed114dd46253ead04bcd05

SHA256
f6bde4412f12c155a4ad36f1084bce76292d16597e32942e9818ce3fb75be8ac

SHA512
a3c1301abdea7f7acd5cb1cb6cb61df900f3020d7dfddf6be382a57dea8e25abcf9fbbaff7422f23a0130213678748d73addd8c70803f9ec8a63051bd62e3c16

Download Submit
C:\Windows\_tempheukms10310852593390\pic\Close.png

Filesize
2KB

MD5
e71b36478c663f85777cd8c8cadef39a

SHA1
c622a31feb72dd8fd3a500892d5defa491950036

SHA256
64cda4f38899f8c9f51740e88f0459f6843b1d1a2b60400a42779af70fd7cdd6

SHA512
c868b1faa8d560cf76cf82ca2fe48188fdb2998423c09ef2a08bdae069a190adcd49bba89e542c1bf0c7276d8e5a95f22aa54c752fd7797f26eb7dee945a4827

Download Submit
C:\Windows\_tempheukms10310852593390\pic\Color.png

Filesize
2KB

MD5
e526c2d1ef30b88f42194565f5d0b4d2

SHA1
d0d9fe934b97e7e1f7de3fb2ba985e8b92306f89

SHA256
9743655c6c18ccfe763eb5a7b3b7b1b59d253d04252914457d9fc27e1906d255

SHA512
5631f38662ded91dc930f5c33b2dd6a447c02068209b3c27beab8db35f5e437d3171d7d6caa346a903396179eb88429a6ced7b7b6d07dc240dd284c757ed7d35

Download Submit
C:\Windows\_tempheukms10310852593390\pic\Min.png

Filesize
2KB

MD5
7a2ce401af45e36cbdd5d61043e48d92

SHA1
84d65c79df30a8d05ae48c040066dfc72e76e02f

SHA256
d316a0f310f74325f57416d89946aa09e6e7785bbfbba3fae9fcb3b0e5f8c741

SHA512
d29cc67cd8e40f3cd4ac28ad222805fda5af27dd9bb83c0cc2caf76942b783c57d68ea0827377eb48cbbc0b0f121741a465f87c3bb70ae7c94576e7d950078d2

Download Submit
C:\Windows\_tempheukms10310852593390\pic\Setting.png

Filesize
2KB

MD5
547b1994623c0bf11e5cddd515fae9e4

SHA1
94622ebf0ca77985ebde633fab653115d55085fb

SHA256
91c6eb4d8c09e9fd8ee2ca6f7d8580698e5fb24a6335b6315b0f88662376f706

SHA512
262a0a8defaa2cf75d7077f3daf2aef71b82d3c036ca865b65286b3cc7a4d6d46fa8f7ad0eb602d8cf16ff67d646ca4f9c5a8e2202d56556025d9e053913c88e

Download Submit
C:\Windows\_tempheukms10310852593390\pic\skin.png

Filesize
2KB

MD5
ca9775a98825ce6705418f15ee08eb6f

SHA1
00ec33d8677092e9cfbfd24660b62ff97b7a92cf

SHA256
d9c6a796ca0edd6ccc838dbf55628973b999c63e19af7a09cff8f86ec1d080bc

SHA512
5e255cd1ec2a84da856e42f1a244dc7b7616c3035e8692650c1572f218d163954449f25af0705009ea00b2fb89d44af58903bf6f06b7e934f8c01f075f2bfa7b

Download Submit
C:\Windows\_tempheukms10310852593390\pic\smart-1.bmp

Filesize
29KB

MD5
8022a6caed299ad3afc870cb6c0d28b6

SHA1
cba4fb19b204e324b730b0609c282f7ce20ba824

SHA256
001f4adc1266e944c63bb0e823f387aa342694ba77aa7c001dd7de3800e19b88

SHA512
95a1670a46e6e5a8d4ef76b6f5ce4a81c376d8f107ec406cc688c94cda4b62872064170a90afb536101713558fdb0750e2d629745da0d649842a232333e7a935

Download Submit
C:\Windows\_tempheukms10310852593390\pic\smart-2.bmp

Filesize
29KB

MD5
0edef2c665f84021efa62f8edbbf9b97

SHA1
817f131bdb9f661df00be5dd4db111aa6fc51c34

SHA256
f0d035596bade49f611a59fd0d0568f10030ed1ed52d8d524671be13d7d5f2f0

SHA512
496049c4b20b8adcb9b4dcfabc8832332ed299a14e90fbb162993470ece28c74983371b35b39205c591971b3eaa693ed53c497775e28b723ff29f6b50069e6ae

Download Submit
C:\Windows\_tempheukms10310852593390\wim.xml

Filesize
7KB

MD5
9d2a8d70c850ce12bd258a5b22cdea52

SHA1
f9ab84a64d00d9ea65c69a3ac25ae1536c54c934

SHA256
1b96471c5bf67a6c440a05357a29e7b20d04ed2fcd2f83f924a93e29a1dba239

SHA512
cef8f1c341756eef28e38085c3bb460ba14af0f8141b63c49f8ff0c453455973513d2ff571951f085f36e4057e60e938f5e327fc94b3946eb82f4a8e76bf787c

Download Submit
\Windows\_tempheukms10310852593390\7Z.EXE

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
memory/376-49-0x0000000000BC0000-0x0000000000BC9000-memory.dmp

Filesize
36KB

Download
memory/376-10-0x0000000000BC0000-0x0000000000BC9000-memory.dmp

Filesize
36KB

Download
memory/2640-541-0x0000000001250000-0x0000000001A42000-memory.dmp

Filesize
7.9MB

Download
memory/2640-9-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/2640-11-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/2640-7-0x0000000001250000-0x0000000001A42000-memory.dmp

Filesize
7.9MB

Download
memory/2640-581-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/2640-582-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download