Malware Analysis Report

2025-01-22 14:37

Sample ID 241202-rtesjsxnbx
Target 645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed
SHA256 645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed
Tags
upx bdaejec aspackv2 backdoor discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed

Threat Level: Known bad

The file 645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed was found to be: Known bad.

Malicious Activity Summary

upx bdaejec aspackv2 backdoor discovery

Detects Bdaejec Backdoor.

Bdaejec

Bdaejec family

Checks computer location settings

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

AutoIT Executable

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 14:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 14:28

Reported

2024-12-02 14:31

Platform

win7-20240708-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe"

Signatures

Bdaejec

backdoor bdaejec

Bdaejec family

bdaejec

Detects Bdaejec Backdoor.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Windows Journal\Journal.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Windows Mail\WinMail.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\CIMV2 C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe
PID 2984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe
PID 2984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe
PID 2984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe
PID 3044 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\RxBgF.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\RxBgF.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\RxBgF.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\RxBgF.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
PID 2984 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
PID 2984 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
PID 2984 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
PID 2984 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe
PID 2984 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe
PID 2984 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe
PID 2984 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe

"C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe"

C:\Users\Admin\AppData\Local\Temp\RxBgF.exe

C:\Users\Admin\AppData\Local\Temp\RxBgF.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\234f204f.bat" "

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE

"C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE" x "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds"

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp

Files

\Users\Admin\AppData\Local\Temp\RxBgF.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/2984-9-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/3044-12-0x0000000000D70000-0x0000000000D79000-memory.dmp

memory/2984-13-0x0000000000D70000-0x0000000000D79000-memory.dmp

memory/2984-11-0x0000000000D70000-0x0000000000D79000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Users\Admin\AppData\Local\Temp\3C182A89.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Temp\234f204f.bat

MD5 0a6646cf8a756241ce1ee5a87d20d9ea
SHA1 5c3b53ca89cf0abd6ced8b0a9df9f56d98cf4b7e
SHA256 cb3b26558cfc5e1f941c51b77ceca17703b4335628afe3f027553970de194be7
SHA512 3c68093a385653122178151803c0a07bca282d56847bad758c12988ade55f7c23e9affeaf224ac66ab4236ddfaa196260ed1846543145feee3cedefe530b6a9e

memory/3044-59-0x0000000000D70000-0x0000000000D79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\KMSmini.7z

MD5 ef286416abc0ad79840eb8e9ca2dab49
SHA1 866f6ab81c4900c350525eca52eb317670eaa8cd
SHA256 5ba300bbc4a41de21bf07e2f681f277d1ca02f1aec981fd8df6b09fb63fba813
SHA512 75bf250eeeee148cc7e760c62245866c309c15a5af8e5da6c5432f8269f13049075c6f11ced7ceebc6e15c0516b6430834b01e7b3508534809a79397458aba28

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\files.7z

MD5 6a07ca86e2a06dea55700327a3b3a594
SHA1 92e9d25febf82ed1353f1874dd404af0c3ed4db9
SHA256 1bf9eaaca0ff1076de4854c734c0aee6ec62b61e46f899ab954c0210919d34f0
SHA512 5c1bcaf3bf87555afe7a172984aea651a76a0e9cb483b81325a39ce569353ad0413171f8a26f1d5719ca284c4bcfe55fe91fafd63fcf0236970186a3a4bb5670

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

MD5 e324d7de5dbaee12c1d577cd7a413269
SHA1 a12c940c1381847436f5f7fab224b4fa1c9fd8d0
SHA256 46a80a13ca48d147a5c597b056ccbe31609e02da3d9ed3a9c9847e24b19cf1ba
SHA512 93272f9a0fff96dda2a839de928a40268fe4d16fcba6173c416e05445f1136f9afc0fec0002b484a88a1862c00a03e0a76b3502053a46945770b9fc931b06951

memory/856-267-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-266-0x00000000058A0000-0x0000000005B63000-memory.dmp

memory/2984-265-0x0000000000DF0000-0x0000000001660000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

MD5 f66deb0ac4a524d67783b8783b58c1a2
SHA1 8a0d025c8be0860b2aaa4bdc14c7f4307789e13e
SHA256 15405279df479731dde8308fae65b99decff969eb0870f174e8ba4bce00e1c74
SHA512 3c88f0c460d8726e2984f0528a085780257fdded957a974c9b783177160de4e1afe964f2b4410a54e141ba1f3e22a0a2554c93428aaa15e31af660502e29bf7f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Close.png

MD5 aa69a5622d03dc816e0c21e9867ff487
SHA1 2b8268e2796d728a55f3d48caef467367cd47d56
SHA256 a5968242aa845300fd5d97c0727c3afccf0c94fb2654d4d185c0afc936e43c91
SHA512 747ab85849015ad02f2fb21992d80a4078531cef0757bd26bf21ff994c357b3e67b73b66c3241cfb84219fe39d2f5c21e947f5d4f7dc49b74c55b70c0dab76a8

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Color.png

MD5 ad1b105d2ab470e16895f4b7d0ee8fc7
SHA1 0bc5a34bc26ea95fabf9ef69d42afedeb3a628a9
SHA256 a7f54d8a7cba923b98c239bb35f9dd7857df6a10a74ca3290b2b6ab63d76a440
SHA512 fbb0659fc9b3106ee172842c2d41b3af145f1ee054209073a88daea9fe4cb41b206d52a9ffd89614eb177e19b1bf30f4041f778cfc0c6ea0992d8451f788ee22

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\smart-1.bmp

MD5 168983e9f0e889082f8ed95371fe9ad5
SHA1 9b836a6b555b487175ee7f7e7813b783b42bb435
SHA256 961bfca28d74d0a07fcb4633131d8afa9589519be0543325dce12f9876161250
SHA512 c3a0bb5d3f852a30c6491924ba17830f22a847b8e9fdbd36333279c880a686761b0ccdaa9f58ee843fd2f08d8ba76d2b9d4f2874a3c32803ee3701ca31424bd3

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\skin.png

MD5 4c37570c6058148a4f21f773b83ae835
SHA1 55830f9bbd65fccf7153115d3eb00e7bfcc388e9
SHA256 0751e6a9e67b49a32fcad384292aaae3cf9c85baa612c14e78a6977444cfc25c
SHA512 c7eb7494a1bc2dec1aa4bfdb7f558010f16abe4d47a1a0b9db0bf72615a0106ed6f13f2ecd1e4c1eab03ce5d5d49fa40a339f75602f90fa3b74ebaa03cde35d5

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Setting.png

MD5 f41c9477a1d7f379c7d2e8d2f89b2867
SHA1 e44012b9d9cdb3eb36840e2b701f048184e79a52
SHA256 d1b457e3839c0e2816b6476e67f3714debada36b065bc915f714da97916e6d98
SHA512 f130a8f765f3f79423a2019ce815295169e76b3b740a46a80d8ebdfa00e762259dd37faf479ada508091fcf4a5112ac4962f7c01529ccd8d7f4418f2dc5c4fcb

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Min.png

MD5 cc4dd823782ec16f6f8213129a1ea431
SHA1 84dce0b452585ae84f1b368681b31e380fd0a9eb
SHA256 1e510d24e9f110513ccd329e90242c2a897bb7902fcfb02d78b5480104455a4b
SHA512 7b73e8ee9d2c326a08f63637c0c5af8e1636e1e0896448a388f5236b8d5886528a838cc0293e3b4a84096395bc5923313f9c421285f8b3b9293e1657a6e1c221

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\smart-2.bmp

MD5 c04ac04097c2ec30e2739e6447ad0a9d
SHA1 f7b52aef1a6e9a84a57ae35df9c1c54d0edfa45d
SHA256 3ff234828053a77d09ce0b9571882b3bab9912a0fdc62bb4b22df759983b9681
SHA512 f55658af0428f3c11952e29b9551528b321d93b32dbddfc6ba119dbf580baa087b738453c54d50b0b7cd14eff4ac08d2d74b0bdb1b731b4f4b610a38fd6a687d

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\smart.bmp

MD5 c6505158a7af9fa54e73b14998574b26
SHA1 0fad3534a4be16440656e9c6a6aa687990ab688f
SHA256 6a449a406bad7f221eabe550ee55449da30dee3d69282dea91f68cf82f4459b0
SHA512 f7c8829669d144c72ed5f223c8d4c92cc16d2d99442ea8aa8c568161399ede319bb34892fe9bc0e9ad3355d1cc1be9b79a3f797163fa1d926c2d14dfb6ab2fe7

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\5-2.bmp

MD5 187a5d7b4c9a88face97056111af08e8
SHA1 1ee313c22cd3cc8f690bae69afc64f69a20e4a9e
SHA256 ac57b5eaf87a5f7b4d01cc253bf45afa0d7a7982f1a17bf1fca304fe0fa64af1
SHA512 615e5c7124eefcb7593ba3fce0e450a557dfe428f5242196d664b4e2806bfce9a8a35ee84eb4180c4ab5328e4d4b3569b333b8c786be28c6478d07dd9bbb9bc0

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\5-1.bmp

MD5 59d1447568858647deb7bce5384af2bb
SHA1 9cb45ae311eaecf705fc557e57270bc285bcc3a5
SHA256 50dec083680509b4a2b10266d8366d36e7d044ffa9278b573c5361bcf821b5dd
SHA512 417d76b05096790e80792e637de3223d717d55ffe06dc20eadcd9c74d169f2a088ad489d001a2cf5e937eab63546424a4557841938eaeea02230cb398ecb314b

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\1-2.bmp

MD5 f0b50ceb08e0e47410ab0486cfe18e13
SHA1 bd1601d56040099e086555c782427a48a2da164f
SHA256 1ec1312347fee5a7cddda9d264b536f2a230de13acbd024a967ff9bd6d607a5b
SHA512 a4a2573bd5f25d47ac18b61023f5fe6e2dfe2cb7fe3f62de14c1bfebaa2a329076a7c57368b378810d37fe842f9a61ca99da8148a1c229a556ee7e871e6f3bbb

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\4-2.bmp

MD5 01b7718bc37818b703ccc6ba022741b1
SHA1 9fa8996f0b37d16428afe68cc0190ab80204f384
SHA256 b396ac8d18adf6288b05b603fe377ec062ef8cc1ae3dac765b17a9662456bf31
SHA512 78aa918327a0c3cec793a8ed22bdea449006f476c3e25d401d6439cbb59a71f2c11294bad83381e81b4d4343cbb7ac6e1f5f737f7c056c0b8e9f07d491ecb903

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\19-1.bmp

MD5 99ee0843080ef4a170a9ed671c9e9490
SHA1 8b745f7b5280b1b5d4e9c1471c8d84f03f42aaf8
SHA256 17614e36cd05242a0eb00e3be671efe9aecc38ae7f747f6ea876bd4d5c7fa2bb
SHA512 3598cc18ed377859f6d9dbdda10722c3b3cbf3406d188949938cef6b2b1a80fc7968f5dcad99880d2f3282dafd291b1aea24d311c77653b8f13dc01c5e41463d

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\12-2.bmp

MD5 8bb9fcbbae84be58619ac7e340b34f60
SHA1 5d3da5d0fa30caa4137ea0c70b9550c88da2e011
SHA256 80e1b7511127d4b36fc7f5a16fbbffeddbca2bdfc44c010d02b4657c94f3d20d
SHA512 da30e8836ef6bd315fcb6e2f911ea0bb7cdaaf2bab8dbbd5ec3ecb4dba23618b702b9b98975a79ebcfa70a458969f227886cdfd15ef866e9f2ed04c2c5374917

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\12-1.bmp

MD5 41645b59d0cd2909a8d8105a7c99dc30
SHA1 1cc51c822380290125af8c8b75d5d212a8431598
SHA256 9d7c6237e459455d792589c0d2ee7d5f02d0a62e403978d974b4049503eda4d2
SHA512 9fa54cf9ecbde966744e138b4c06ed3b49f9d2d1045e5874829526201d7a14523564f3ee5b94e444481eccf046eab1c8ca80ec95b3b733f78ec4951e70166327

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\9-2.bmp

MD5 2adec0b854c1511e7aa2ba3fc4e5d0b1
SHA1 08e3c11325bd43e5ae2a19ac555392e6f5fbec24
SHA256 53a4c25396160d3cb27d86093acfc43c6f540d8279e4fbad1172c9e784e3b38f
SHA512 d5cd1903776786cd9d5da2d582b9122a3b310efd7a4ee7bd81406b234496067baf7a96aeaa17f9b2bed2d5964b6130e8a85459d508237804cb3a0bda0b59f76c

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\14-2.bmp

MD5 047f193f29ed38e689ac53bb6b879c46
SHA1 a8e62140702d55c2ba95385cd064fa96ae68888d
SHA256 fa993936d1682bbce788e759bd1b2635b987e535adab6002792d0c316df5863c
SHA512 1a5d614b22b51548ddb8c715c2a456fa3602928b5fe513d748f6c49846487e84593f062282def5ecd44889ece5e3321bc6077f7c07725c1121c9ed1f59b4ac2a

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\14-1.bmp

MD5 ea41c4b5b5a96b68758c993a24a80c38
SHA1 084cf42c7dbea5435478835a7303063f3c11ee93
SHA256 f6e73c93ce3c964a9e8969eff64bb12bd20685350b6dd8b2ef3d86f803dcbcc9
SHA512 f84d813a9bdaa16229bec71995c4e3a4dec88ca3ba2c818b1284994fb28159832f3c5b7d09301794a7ba1888d8a060a8098e6ddff599133ceb1adc3d2a6c7b5a

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\9-1.bmp

MD5 50b18774ae74d388da9fae4e53d12b52
SHA1 4ae97e5d0524cdf96124231d6b41969e885c64bd
SHA256 d8e86d29c0abd96dc92fdbe4c0b7bf30367401e63ba0c1ee11a9d6f169fca8c5
SHA512 16a5d244bd3ba477ef446f9f0bf6cb0e3d71fbf7a5a292126138aa228dc1ab9e33b03d978226f98fb39729ebe73f552c7805353b5f4071e856fd6eb45f9e5d90

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\8-2.bmp

MD5 94e7dd407071c974b91c8bcc032b7efc
SHA1 6a1523b7251c39f8a24bb04aceede797a14ad7e0
SHA256 0f871fb3645cfc8a0d4b50bf47167304498b5e0a504b05b7f6ee6a684bbec1ff
SHA512 9f205ec6d150256d0a1cd68be51e59e6d89bcfcf71c8fbd375e8f492634bbaa6bd68c365f252b98841c69cec30ca93a0957b067829c5599a5fb90d47c2530b1c

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\8-1.bmp

MD5 c5b21a4b4880f0055e99f271f43850c8
SHA1 0328314e727c440cdcfb9662d4b55c039763edd9
SHA256 f4586ca895ab86150f0c0c6a5bc3a0a3e28c88771cdc1fce26857deeb6d265c9
SHA512 7dd3e70e4e4d2f2bc9a7edbf29a9510b6bb0ef450069da37a1d2c0e483614ed7a363d8b2d612219d1956b81f4393591b0daa55b838e31808e2768cda7c7b9c2f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\7-2.bmp

MD5 68a7611db6e902227980df598bab301a
SHA1 d3f09631f5e63c85d3e1a9d351bff108522771c5
SHA256 958adf0643d2d66175955a0c450f5775c3c3b23c735ebffd680ed0e58bb583ac
SHA512 e267d3303cb78999534f9520360bff84fb2a6cefd36c8a25e1cf0f80a36ccee14d3d12d48282a4772fb0467f3715dca9214bea4bf0fdddf961002bdd1f3f0a8c

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\7-1.bmp

MD5 60c054f50977bac8a0a8818d6c18f971
SHA1 8e0a54833af8ef3691976e7e88ed4074b3890ee8
SHA256 14f8e2863fe89119fc146f2b826f66ac1eb84fe90c275d94b428fd259e136195
SHA512 c3a5aa0358893ad7f7520b201396a2bf50db7b63c5c81d6e0a5d3dc3b1060b1b217086b2cfdde25d531f5b71e8c04f583fd9fc8467ac525bacf2c7f93f3bafdb

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\6-2.bmp

MD5 8d5af3015a65ef4b4169e536c44c5b8a
SHA1 b8f414b2e812d5ccc4e2e1f2ea8e9b9dd086cdf6
SHA256 174393290f92feacf88f183b1b098c20d8df7f522505b39d6a7d011fcf67c5b7
SHA512 37f18fef44d763b427464097fabef937672da342335a0d7014e8aeeb5301b9596f5203eaadd2c6264f89494c9b1aba97e77fe689ae3244a5111dc91606f00d57

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\6-1.bmp

MD5 ae1495079c600e61a9d4c4ebb4386f7b
SHA1 e13db0c922636eb55ebfcd5ed5584b0ad70e64f5
SHA256 c359b6f7e6ddb6f4bd9d003ca5df4cf0b2a92d3329d95c023bead0f3b0f8234d
SHA512 aa702694c43546ba8157a44790222f2dbf85cb89858bbcfb66ed90369f88e5666fa7295c13e86fd76c386cbc830451fc7b3c0b9d13a8457decf679f59e92a7cf

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\4-1.bmp

MD5 72a3e5372444ce8ca9df741589b54ccf
SHA1 b2892bc0ca2dad39bf5e08b1cf4c46e9986a8914
SHA256 25755db2351f0b97f1d90de0b3e5967d73411eb7ae7e8404b3f2f262b1507d57
SHA512 2c734783a929d842de5541760496e92a0c990c40429b60f171c940633bfc820f72b0f7671b356f9cff7a31a0f217a990d12a330a00caaafdc35ae4f4e0a61fdf

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\15-2.bmp

MD5 d92102d6a2440521043cf675e12cf69c
SHA1 d652bba4134dd9bc5d47422c29c7a4e9cbbc4cb3
SHA256 85fba5bea5738ae5171a5807263d99ebb392719cc93dc0e10c12174bb974fbdb
SHA512 0f77ea43d1f04133ac6b6f57edafa8c8d88bb257a231e32e4563e9ff53a389f08e0479a4c8dd912509849371463181df1b1cd0367ffba35af05d5edfc7d97728

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\15-1.bmp

MD5 89cca5171e13d2502449433ce4b5d3fb
SHA1 0cca8a5c6578731760340cd017af3d4576c3301a
SHA256 fe17efd8e710e268b0b9c7374346e10c0e1f72927b3016c42a911d4c67e89439
SHA512 23a2d50ca72ec07d07d8b9e432d5228b84c4c94e29103d1cd8ec3856406541433e5b9efafe0c41d1e286d0372f3127b5ce709bef5a9efaa9c2f5fbb93bd39c79

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\3-1.bmp

MD5 9de694a8a4e2f1b473352ebabab39b6f
SHA1 d157179758ced1e150279364932aa80dd34d9338
SHA256 98b285eb57bee3614cec6c1d0037420ac7c5c4e26b6fc20d59572ea9a11cf19a
SHA512 9df3054660351b0ad4e59ad506548a4034166f776cd55a4d3392b4b65d8db8dd19db13afab4eb7ae091fa5bc9b2f4082af1a405ffd6c6939b34990e668bdf89f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\3-3.bmp

MD5 b633d8ef5dc70459ba13d81d4b7e6355
SHA1 a405b201b569f24c06ee94d1c04b67ed12c8a882
SHA256 46193fd3f44fee45b44e5c047f68944ed443717ce7060675992cb21e4ba8f366
SHA512 deeb1c3d10f85ebeb77f125d48ec9aafc02794a24f1da58ff713273bd1204601c5a71a402a40ac87adcff10194206d49ac3cb4c5bffc02dd0b29e933e4d5760d

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\3-2.bmp

MD5 2824f5ade3d18bb173b5a6e10b5933fb
SHA1 2e42fb1e7dcce77f71b47067d0b31b67f26f0e19
SHA256 9fc99137a049f69c40050c4d37d51f70e5c15872f6c2886172fb4bd071fc290b
SHA512 784c77f6673febf41ad14f790ad65edf0f6bf499c1313fc8f292c24d0070eed765dc98d188f23153e0b0ecdb6a058b41ca9445041db4c331a985b4bed8657d23

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\2-1.bmp

MD5 1b58a8a32a0a5f923cd193e128d08824
SHA1 6c73c2c001d1b2005395019c467ee46028bc57cc
SHA256 2c6ded923d9853647026dc1e71a276a4ed5594cb4b92ac673da1a748eac6e347
SHA512 7f516002faed24feaa4bd26c612a4232fad18bf96ba140c490187236f58cb4aecb0cd171e59e75bf1f1b5d0d202d170f383d09ee6110659702e75e244c079154

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\21-2.bmp

MD5 27cac6425effcab20d8dc7d4e586994c
SHA1 5d693a26ccf51c2960d6e7655a267f1644dc2711
SHA256 ed1793a63a1a8629a941288cdd6a08b2f2ea5e08fae014ff96390fc04d9e8da2
SHA512 efed90384473e3073d78f455bffd2c099c3bbd61694070fb846d7a4f1314e899a2210a4d0ad80990b08cd0588009ac8cf2be771a60a446674fd60ae6285f71e4

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\21-1.bmp

MD5 9addff95503bb3b77cec606a792b7743
SHA1 d7b091c161f3ab2a84fe5bcfb2d523491b6f34f2
SHA256 de3d69c9da80d614dcf1b88e70f0fd370a70baa92d025b878f38cc2c9cec5899
SHA512 63a5089986171a12d2bf19af11603d878ddf2b27132f434655ee08c7f6e3535cd8c9a143869c0d2af597b4eca0a02ab900c7baa33b34bfd9ace817112f893160

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\17-2.bmp

MD5 97a2b98d6d4296b08deb1b6b27901a4f
SHA1 63ce9dbed54795acffd5eaa0c8b4f7381aa180da
SHA256 c267701bfc6b785772abee5ac8eb83fb2c13c09385a2a2c4a1cd451a67e9cb96
SHA512 35a6ced7ab8b7b244b71e80b7a41ba86b03e846547cc18faa66ac52e613ae13d214e72995bc85654e22e86f02d905f7d59dceb419dd8d079e3c1386686f340af

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\17-1.bmp

MD5 04a1525dd639c4484c7626dfa814d155
SHA1 ddd779be16a7b61450595ea34f34ef9b630ae408
SHA256 de0640c44d43a43d2726e22ef87e80d9a571fa5b1682fd743f4be395526b6fa9
SHA512 17832b959d0d346252a6d56587cae2aa43d79e9de81ff2f39913fa31f6e6607eba029cef9df3bf921a48de32ce5a7d79da272dc969f02d27a2fdea899de9b669

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\logo.png

MD5 f4f6d33bdc7fcad1834d65256467113c
SHA1 33dfe0827a4e532d69a33d30e7836c6c9fead2f3
SHA256 375b10e59eb36efb92c424b9a3983cb34bb5ed9be8056960fd78f1cc292f04c9
SHA512 167df406ab3d39b8fdf5cb78e090dd4198db2809180930ba481e42e9d2987d1c6090e525c217f8e6be057b493cf229398eb710ef3814d511bef8a1913cdfb5ff

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB5.png

MD5 eea2b9b038cf28617fa513ff9a567c9c
SHA1 265a8209bcaf9e085970f24da595839b3efc27f5
SHA256 a25b00803c986229355bafa9b6f89265e33629e571a589987c76bc3556377a85
SHA512 b9b45e340e29359e7726e83c1a976c73727dd4f8842d0594c2ed70519cc8a3c5f1deafb49a09c4e0b5d315e6a74582d670a7486ab3fb23506ddf3e09f6956503

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB4.png

MD5 abcffa915c0d2ab37a25701015af7db2
SHA1 00375c3460cb38e97f8c5a50b980095e952c3276
SHA256 50b3a682102c909638de843c96da643705b520dc6f4bfd025b6cae1b6dd94fb8
SHA512 9bb880e8773571b8160ea64b87ec77f4cd393dcedd2ac8943e0d28d3f9d2204f77208e938ce37ccd4db6c469406cdaf4f02afde0ab86af1df4d39723bdc8923f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB3.png

MD5 349a516c6192bd7086699c2138c64974
SHA1 2cd3c37232b417ddddf5520a8f4b813844eb5317
SHA256 1e4085568a73918ccd812cf063153d9ab57a410be269afa8c068b9e3af2167f1
SHA512 ae5922ca3081f7c32d5f7de89fb6c0ee90f64cf6a051fb1e3a8ae08d7a3226380934f07852b9eb153d99c886613ffe492558482d23d985eb9722a2f5e9105891

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB2.png

MD5 03ad4bda93caa1fbfdf7f7708959805e
SHA1 3edd4b724f10bd0d030671673d28ba4c18cc2267
SHA256 3b6c31ebc247f6dae88356c297b44b49f741f6e2ace452097c961e9fb4db52fd
SHA512 9aa7a23338529b8c539bbf0ac3ba613c5ded41378ae1fb76fedf71ba203f5466820baf76be923b6603ed8fde8d5928945f7c468d988a403c55dc48d8053b4bed

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB1.png

MD5 6f37d8cbc242acdb504a9e05c93c7627
SHA1 98ef8c8485bd48b0cdf20ea96b9352b14abf7890
SHA256 b4d7f989ad093fad070548da06b5beeb7e9b8c465cc58221077e3cfc5aba861f
SHA512 2a26c0dcbf6a2083ded59da38fa511d23f82b9152e3329e211c5f8aff73522e00c8f77f3424e8097478970b718ef1b873d9dadaf3fafc2fc4051497dcc0aac93

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\BACK6.jpg

MD5 f1d3421aa3bcc89dda15a421aba74562
SHA1 7ab470c97f2ec29aaf37dee8dc4b4a6c6b123c3b
SHA256 0f46e2389bd5c4f1871e3751a280d24b8434d3a56af29d5cc50a2260202684dc
SHA512 ad42b368c11f70da615482a7f8d7e2ad18489869f69a32b30fa7911a1a90fada5af962aad4770781a7ff38c20096975164046874129bccd8f6ee63a8d8d248fa

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\2-3.bmp

MD5 1b3be88fe13dbaa84837670409aef72d
SHA1 2835d1aa356fcb9d7c7d222c7b12d16be59fb9bc
SHA256 251dbb10854ceb2229d2bafd4afe0e953a392ba3b390aed65bdb83555d3a8563
SHA512 865155a147b12524d4df1cd375e867d384fc0a3d1d990726ecb5e2f254721d0dfcdcd229cb196ac5fb2650ea5c4bd332514b6ad37117f653e16fc3e1fab53867

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\2-2.bmp

MD5 30117495ae9cdf829242602a4db4f25b
SHA1 3a0ae721f8d36686539a5aa3513b1232c63bd939
SHA256 0fa6814298169bb6ba98a43b95f8e586c9ca7b35ea0e0a2252d1145f4af54da7
SHA512 c0cc1e14a5149106b9f13aa6e61b2de321d1fddd4c22114c5089235b2ce3caeba7fcacc60a801f999dc6208fc210961e3e3b1d7f7a1a429481c0fa31c8e497e5

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\1-1.bmp

MD5 854fdb63b26f58d482a85f4a7d87eb75
SHA1 85c8c1571fb9af56dbf96a7e15cd0803122aeae5
SHA256 8d3b094b0984a03453f11d7d587226f4e29665e1b0e04b76f009a8e8268fe18c
SHA512 a246beb71ecd77306d88c8f07652bea65dd1fa23c75b8a70d8a7e6b3992190fc457dc20023373feac8dbcf70d80518bf0b273cd60bb9b6ee28308af4ec1c89d4

memory/2984-315-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/2984-316-0x00000000058A0000-0x0000000005B63000-memory.dmp

memory/856-317-0x000000013F170000-0x000000013F433000-memory.dmp

memory/856-318-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-319-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-320-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-321-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-322-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-323-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-324-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-325-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-326-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-327-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-328-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-329-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-330-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-331-0x0000000000D70000-0x0000000000D79000-memory.dmp

memory/2984-332-0x0000000000D70000-0x0000000000D79000-memory.dmp

memory/2984-333-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-334-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-335-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-336-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-337-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-338-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-339-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-340-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-341-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-342-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-343-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-344-0x000000013F170000-0x000000013F433000-memory.dmp

memory/2984-345-0x0000000000DF0000-0x0000000001660000-memory.dmp

memory/856-346-0x000000013F170000-0x000000013F433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 14:28

Reported

2024-12-02 14:31

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe"

Signatures

Bdaejec

backdoor bdaejec

Bdaejec family

bdaejec

Detects Bdaejec Backdoor.

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RxBgF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\CIMV2 C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4300 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe
PID 4300 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe
PID 4300 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\RxBgF.exe
PID 544 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\RxBgF.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\RxBgF.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\RxBgF.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
PID 4300 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
PID 4300 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
PID 4300 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe
PID 4300 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe

"C:\Users\Admin\AppData\Local\Temp\645717b83a154ea9b128317b6d1a9cd1f59b59a30e3f5e7159aad542a658f5ed.exe"

C:\Users\Admin\AppData\Local\Temp\RxBgF.exe

C:\Users\Admin\AppData\Local\Temp\RxBgF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4706229c.bat" "

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE

"C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE" x "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds"

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 142.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 178.153.247.72.in-addr.arpa udp
US 8.8.8.8:53 162.153.247.72.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4300-0-0x0000000000B20000-0x0000000001390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RxBgF.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/544-4-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Users\Admin\AppData\Local\Temp\02840B61.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

memory/544-51-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4706229c.bat

MD5 b6bdf3a09c71d139e3959e86d1848c0e
SHA1 9ce35bb6046c9c505e8486a668f3c692f9ac06aa
SHA256 f1db6660e721bfee0abd4785096edcbbb2057ff345b95a6c43a5bc76079b6575
SHA512 6233cc6b72cdfd10738885e22cf1a242ce8d346571c31b2171b132a3a0f127e25f4a737d07076f6cce5c54446e0622fc40ee3baa52642306c80c2a34f0fde43b

C:\Users\Admin\AppData\Local\Temp\aut9BE3.tmp

MD5 ef286416abc0ad79840eb8e9ca2dab49
SHA1 866f6ab81c4900c350525eca52eb317670eaa8cd
SHA256 5ba300bbc4a41de21bf07e2f681f277d1ca02f1aec981fd8df6b09fb63fba813
SHA512 75bf250eeeee148cc7e760c62245866c309c15a5af8e5da6c5432f8269f13049075c6f11ced7ceebc6e15c0516b6430834b01e7b3508534809a79397458aba28

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\files.7z

MD5 6a07ca86e2a06dea55700327a3b3a594
SHA1 92e9d25febf82ed1353f1874dd404af0c3ed4db9
SHA256 1bf9eaaca0ff1076de4854c734c0aee6ec62b61e46f899ab954c0210919d34f0
SHA512 5c1bcaf3bf87555afe7a172984aea651a76a0e9cb483b81325a39ce569353ad0413171f8a26f1d5719ca284c4bcfe55fe91fafd63fcf0236970186a3a4bb5670

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe

MD5 e324d7de5dbaee12c1d577cd7a413269
SHA1 a12c940c1381847436f5f7fab224b4fa1c9fd8d0
SHA256 46a80a13ca48d147a5c597b056ccbe31609e02da3d9ed3a9c9847e24b19cf1ba
SHA512 93272f9a0fff96dda2a839de928a40268fe4d16fcba6173c416e05445f1136f9afc0fec0002b484a88a1862c00a03e0a76b3502053a46945770b9fc931b06951

memory/4352-255-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

MD5 f66deb0ac4a524d67783b8783b58c1a2
SHA1 8a0d025c8be0860b2aaa4bdc14c7f4307789e13e
SHA256 15405279df479731dde8308fae65b99decff969eb0870f174e8ba4bce00e1c74
SHA512 3c88f0c460d8726e2984f0528a085780257fdded957a974c9b783177160de4e1afe964f2b4410a54e141ba1f3e22a0a2554c93428aaa15e31af660502e29bf7f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Close.png

MD5 aa69a5622d03dc816e0c21e9867ff487
SHA1 2b8268e2796d728a55f3d48caef467367cd47d56
SHA256 a5968242aa845300fd5d97c0727c3afccf0c94fb2654d4d185c0afc936e43c91
SHA512 747ab85849015ad02f2fb21992d80a4078531cef0757bd26bf21ff994c357b3e67b73b66c3241cfb84219fe39d2f5c21e947f5d4f7dc49b74c55b70c0dab76a8

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Setting.png

MD5 f41c9477a1d7f379c7d2e8d2f89b2867
SHA1 e44012b9d9cdb3eb36840e2b701f048184e79a52
SHA256 d1b457e3839c0e2816b6476e67f3714debada36b065bc915f714da97916e6d98
SHA512 f130a8f765f3f79423a2019ce815295169e76b3b740a46a80d8ebdfa00e762259dd37faf479ada508091fcf4a5112ac4962f7c01529ccd8d7f4418f2dc5c4fcb

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Color.png

MD5 ad1b105d2ab470e16895f4b7d0ee8fc7
SHA1 0bc5a34bc26ea95fabf9ef69d42afedeb3a628a9
SHA256 a7f54d8a7cba923b98c239bb35f9dd7857df6a10a74ca3290b2b6ab63d76a440
SHA512 fbb0659fc9b3106ee172842c2d41b3af145f1ee054209073a88daea9fe4cb41b206d52a9ffd89614eb177e19b1bf30f4041f778cfc0c6ea0992d8451f788ee22

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\Min.png

MD5 cc4dd823782ec16f6f8213129a1ea431
SHA1 84dce0b452585ae84f1b368681b31e380fd0a9eb
SHA256 1e510d24e9f110513ccd329e90242c2a897bb7902fcfb02d78b5480104455a4b
SHA512 7b73e8ee9d2c326a08f63637c0c5af8e1636e1e0896448a388f5236b8d5886528a838cc0293e3b4a84096395bc5923313f9c421285f8b3b9293e1657a6e1c221

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\skin.png

MD5 4c37570c6058148a4f21f773b83ae835
SHA1 55830f9bbd65fccf7153115d3eb00e7bfcc388e9
SHA256 0751e6a9e67b49a32fcad384292aaae3cf9c85baa612c14e78a6977444cfc25c
SHA512 c7eb7494a1bc2dec1aa4bfdb7f558010f16abe4d47a1a0b9db0bf72615a0106ed6f13f2ecd1e4c1eab03ce5d5d49fa40a339f75602f90fa3b74ebaa03cde35d5

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\smart-1.bmp

MD5 168983e9f0e889082f8ed95371fe9ad5
SHA1 9b836a6b555b487175ee7f7e7813b783b42bb435
SHA256 961bfca28d74d0a07fcb4633131d8afa9589519be0543325dce12f9876161250
SHA512 c3a0bb5d3f852a30c6491924ba17830f22a847b8e9fdbd36333279c880a686761b0ccdaa9f58ee843fd2f08d8ba76d2b9d4f2874a3c32803ee3701ca31424bd3

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\smart.bmp

MD5 c6505158a7af9fa54e73b14998574b26
SHA1 0fad3534a4be16440656e9c6a6aa687990ab688f
SHA256 6a449a406bad7f221eabe550ee55449da30dee3d69282dea91f68cf82f4459b0
SHA512 f7c8829669d144c72ed5f223c8d4c92cc16d2d99442ea8aa8c568161399ede319bb34892fe9bc0e9ad3355d1cc1be9b79a3f797163fa1d926c2d14dfb6ab2fe7

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\smart-2.bmp

MD5 c04ac04097c2ec30e2739e6447ad0a9d
SHA1 f7b52aef1a6e9a84a57ae35df9c1c54d0edfa45d
SHA256 3ff234828053a77d09ce0b9571882b3bab9912a0fdc62bb4b22df759983b9681
SHA512 f55658af0428f3c11952e29b9551528b321d93b32dbddfc6ba119dbf580baa087b738453c54d50b0b7cd14eff4ac08d2d74b0bdb1b731b4f4b610a38fd6a687d

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\1-2.bmp

MD5 f0b50ceb08e0e47410ab0486cfe18e13
SHA1 bd1601d56040099e086555c782427a48a2da164f
SHA256 1ec1312347fee5a7cddda9d264b536f2a230de13acbd024a967ff9bd6d607a5b
SHA512 a4a2573bd5f25d47ac18b61023f5fe6e2dfe2cb7fe3f62de14c1bfebaa2a329076a7c57368b378810d37fe842f9a61ca99da8148a1c229a556ee7e871e6f3bbb

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\1-1.bmp

MD5 854fdb63b26f58d482a85f4a7d87eb75
SHA1 85c8c1571fb9af56dbf96a7e15cd0803122aeae5
SHA256 8d3b094b0984a03453f11d7d587226f4e29665e1b0e04b76f009a8e8268fe18c
SHA512 a246beb71ecd77306d88c8f07652bea65dd1fa23c75b8a70d8a7e6b3992190fc457dc20023373feac8dbcf70d80518bf0b273cd60bb9b6ee28308af4ec1c89d4

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\5-1.bmp

MD5 59d1447568858647deb7bce5384af2bb
SHA1 9cb45ae311eaecf705fc557e57270bc285bcc3a5
SHA256 50dec083680509b4a2b10266d8366d36e7d044ffa9278b573c5361bcf821b5dd
SHA512 417d76b05096790e80792e637de3223d717d55ffe06dc20eadcd9c74d169f2a088ad489d001a2cf5e937eab63546424a4557841938eaeea02230cb398ecb314b

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\5-2.bmp

MD5 187a5d7b4c9a88face97056111af08e8
SHA1 1ee313c22cd3cc8f690bae69afc64f69a20e4a9e
SHA256 ac57b5eaf87a5f7b4d01cc253bf45afa0d7a7982f1a17bf1fca304fe0fa64af1
SHA512 615e5c7124eefcb7593ba3fce0e450a557dfe428f5242196d664b4e2806bfce9a8a35ee84eb4180c4ab5328e4d4b3569b333b8c786be28c6478d07dd9bbb9bc0

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\2-3.bmp

MD5 1b3be88fe13dbaa84837670409aef72d
SHA1 2835d1aa356fcb9d7c7d222c7b12d16be59fb9bc
SHA256 251dbb10854ceb2229d2bafd4afe0e953a392ba3b390aed65bdb83555d3a8563
SHA512 865155a147b12524d4df1cd375e867d384fc0a3d1d990726ecb5e2f254721d0dfcdcd229cb196ac5fb2650ea5c4bd332514b6ad37117f653e16fc3e1fab53867

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\2-2.bmp

MD5 30117495ae9cdf829242602a4db4f25b
SHA1 3a0ae721f8d36686539a5aa3513b1232c63bd939
SHA256 0fa6814298169bb6ba98a43b95f8e586c9ca7b35ea0e0a2252d1145f4af54da7
SHA512 c0cc1e14a5149106b9f13aa6e61b2de321d1fddd4c22114c5089235b2ce3caeba7fcacc60a801f999dc6208fc210961e3e3b1d7f7a1a429481c0fa31c8e497e5

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\2-1.bmp

MD5 1b58a8a32a0a5f923cd193e128d08824
SHA1 6c73c2c001d1b2005395019c467ee46028bc57cc
SHA256 2c6ded923d9853647026dc1e71a276a4ed5594cb4b92ac673da1a748eac6e347
SHA512 7f516002faed24feaa4bd26c612a4232fad18bf96ba140c490187236f58cb4aecb0cd171e59e75bf1f1b5d0d202d170f383d09ee6110659702e75e244c079154

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\3-2.bmp

MD5 2824f5ade3d18bb173b5a6e10b5933fb
SHA1 2e42fb1e7dcce77f71b47067d0b31b67f26f0e19
SHA256 9fc99137a049f69c40050c4d37d51f70e5c15872f6c2886172fb4bd071fc290b
SHA512 784c77f6673febf41ad14f790ad65edf0f6bf499c1313fc8f292c24d0070eed765dc98d188f23153e0b0ecdb6a058b41ca9445041db4c331a985b4bed8657d23

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\3-3.bmp

MD5 b633d8ef5dc70459ba13d81d4b7e6355
SHA1 a405b201b569f24c06ee94d1c04b67ed12c8a882
SHA256 46193fd3f44fee45b44e5c047f68944ed443717ce7060675992cb21e4ba8f366
SHA512 deeb1c3d10f85ebeb77f125d48ec9aafc02794a24f1da58ff713273bd1204601c5a71a402a40ac87adcff10194206d49ac3cb4c5bffc02dd0b29e933e4d5760d

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\3-1.bmp

MD5 9de694a8a4e2f1b473352ebabab39b6f
SHA1 d157179758ced1e150279364932aa80dd34d9338
SHA256 98b285eb57bee3614cec6c1d0037420ac7c5c4e26b6fc20d59572ea9a11cf19a
SHA512 9df3054660351b0ad4e59ad506548a4034166f776cd55a4d3392b4b65d8db8dd19db13afab4eb7ae091fa5bc9b2f4082af1a405ffd6c6939b34990e668bdf89f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\4-2.bmp

MD5 01b7718bc37818b703ccc6ba022741b1
SHA1 9fa8996f0b37d16428afe68cc0190ab80204f384
SHA256 b396ac8d18adf6288b05b603fe377ec062ef8cc1ae3dac765b17a9662456bf31
SHA512 78aa918327a0c3cec793a8ed22bdea449006f476c3e25d401d6439cbb59a71f2c11294bad83381e81b4d4343cbb7ac6e1f5f737f7c056c0b8e9f07d491ecb903

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\4-1.bmp

MD5 72a3e5372444ce8ca9df741589b54ccf
SHA1 b2892bc0ca2dad39bf5e08b1cf4c46e9986a8914
SHA256 25755db2351f0b97f1d90de0b3e5967d73411eb7ae7e8404b3f2f262b1507d57
SHA512 2c734783a929d842de5541760496e92a0c990c40429b60f171c940633bfc820f72b0f7671b356f9cff7a31a0f217a990d12a330a00caaafdc35ae4f4e0a61fdf

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\6-2.bmp

MD5 8d5af3015a65ef4b4169e536c44c5b8a
SHA1 b8f414b2e812d5ccc4e2e1f2ea8e9b9dd086cdf6
SHA256 174393290f92feacf88f183b1b098c20d8df7f522505b39d6a7d011fcf67c5b7
SHA512 37f18fef44d763b427464097fabef937672da342335a0d7014e8aeeb5301b9596f5203eaadd2c6264f89494c9b1aba97e77fe689ae3244a5111dc91606f00d57

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\6-1.bmp

MD5 ae1495079c600e61a9d4c4ebb4386f7b
SHA1 e13db0c922636eb55ebfcd5ed5584b0ad70e64f5
SHA256 c359b6f7e6ddb6f4bd9d003ca5df4cf0b2a92d3329d95c023bead0f3b0f8234d
SHA512 aa702694c43546ba8157a44790222f2dbf85cb89858bbcfb66ed90369f88e5666fa7295c13e86fd76c386cbc830451fc7b3c0b9d13a8457decf679f59e92a7cf

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\7-1.bmp

MD5 60c054f50977bac8a0a8818d6c18f971
SHA1 8e0a54833af8ef3691976e7e88ed4074b3890ee8
SHA256 14f8e2863fe89119fc146f2b826f66ac1eb84fe90c275d94b428fd259e136195
SHA512 c3a5aa0358893ad7f7520b201396a2bf50db7b63c5c81d6e0a5d3dc3b1060b1b217086b2cfdde25d531f5b71e8c04f583fd9fc8467ac525bacf2c7f93f3bafdb

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\7-2.bmp

MD5 68a7611db6e902227980df598bab301a
SHA1 d3f09631f5e63c85d3e1a9d351bff108522771c5
SHA256 958adf0643d2d66175955a0c450f5775c3c3b23c735ebffd680ed0e58bb583ac
SHA512 e267d3303cb78999534f9520360bff84fb2a6cefd36c8a25e1cf0f80a36ccee14d3d12d48282a4772fb0467f3715dca9214bea4bf0fdddf961002bdd1f3f0a8c

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\8-2.bmp

MD5 94e7dd407071c974b91c8bcc032b7efc
SHA1 6a1523b7251c39f8a24bb04aceede797a14ad7e0
SHA256 0f871fb3645cfc8a0d4b50bf47167304498b5e0a504b05b7f6ee6a684bbec1ff
SHA512 9f205ec6d150256d0a1cd68be51e59e6d89bcfcf71c8fbd375e8f492634bbaa6bd68c365f252b98841c69cec30ca93a0957b067829c5599a5fb90d47c2530b1c

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\8-1.bmp

MD5 c5b21a4b4880f0055e99f271f43850c8
SHA1 0328314e727c440cdcfb9662d4b55c039763edd9
SHA256 f4586ca895ab86150f0c0c6a5bc3a0a3e28c88771cdc1fce26857deeb6d265c9
SHA512 7dd3e70e4e4d2f2bc9a7edbf29a9510b6bb0ef450069da37a1d2c0e483614ed7a363d8b2d612219d1956b81f4393591b0daa55b838e31808e2768cda7c7b9c2f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\9-2.bmp

MD5 2adec0b854c1511e7aa2ba3fc4e5d0b1
SHA1 08e3c11325bd43e5ae2a19ac555392e6f5fbec24
SHA256 53a4c25396160d3cb27d86093acfc43c6f540d8279e4fbad1172c9e784e3b38f
SHA512 d5cd1903776786cd9d5da2d582b9122a3b310efd7a4ee7bd81406b234496067baf7a96aeaa17f9b2bed2d5964b6130e8a85459d508237804cb3a0bda0b59f76c

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\9-1.bmp

MD5 50b18774ae74d388da9fae4e53d12b52
SHA1 4ae97e5d0524cdf96124231d6b41969e885c64bd
SHA256 d8e86d29c0abd96dc92fdbe4c0b7bf30367401e63ba0c1ee11a9d6f169fca8c5
SHA512 16a5d244bd3ba477ef446f9f0bf6cb0e3d71fbf7a5a292126138aa228dc1ab9e33b03d978226f98fb39729ebe73f552c7805353b5f4071e856fd6eb45f9e5d90

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\12-2.bmp

MD5 8bb9fcbbae84be58619ac7e340b34f60
SHA1 5d3da5d0fa30caa4137ea0c70b9550c88da2e011
SHA256 80e1b7511127d4b36fc7f5a16fbbffeddbca2bdfc44c010d02b4657c94f3d20d
SHA512 da30e8836ef6bd315fcb6e2f911ea0bb7cdaaf2bab8dbbd5ec3ecb4dba23618b702b9b98975a79ebcfa70a458969f227886cdfd15ef866e9f2ed04c2c5374917

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\19-1.bmp

MD5 99ee0843080ef4a170a9ed671c9e9490
SHA1 8b745f7b5280b1b5d4e9c1471c8d84f03f42aaf8
SHA256 17614e36cd05242a0eb00e3be671efe9aecc38ae7f747f6ea876bd4d5c7fa2bb
SHA512 3598cc18ed377859f6d9dbdda10722c3b3cbf3406d188949938cef6b2b1a80fc7968f5dcad99880d2f3282dafd291b1aea24d311c77653b8f13dc01c5e41463d

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\12-1.bmp

MD5 41645b59d0cd2909a8d8105a7c99dc30
SHA1 1cc51c822380290125af8c8b75d5d212a8431598
SHA256 9d7c6237e459455d792589c0d2ee7d5f02d0a62e403978d974b4049503eda4d2
SHA512 9fa54cf9ecbde966744e138b4c06ed3b49f9d2d1045e5874829526201d7a14523564f3ee5b94e444481eccf046eab1c8ca80ec95b3b733f78ec4951e70166327

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\14-2.bmp

MD5 047f193f29ed38e689ac53bb6b879c46
SHA1 a8e62140702d55c2ba95385cd064fa96ae68888d
SHA256 fa993936d1682bbce788e759bd1b2635b987e535adab6002792d0c316df5863c
SHA512 1a5d614b22b51548ddb8c715c2a456fa3602928b5fe513d748f6c49846487e84593f062282def5ecd44889ece5e3321bc6077f7c07725c1121c9ed1f59b4ac2a

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\14-1.bmp

MD5 ea41c4b5b5a96b68758c993a24a80c38
SHA1 084cf42c7dbea5435478835a7303063f3c11ee93
SHA256 f6e73c93ce3c964a9e8969eff64bb12bd20685350b6dd8b2ef3d86f803dcbcc9
SHA512 f84d813a9bdaa16229bec71995c4e3a4dec88ca3ba2c818b1284994fb28159832f3c5b7d09301794a7ba1888d8a060a8098e6ddff599133ceb1adc3d2a6c7b5a

memory/4300-292-0x0000000000B20000-0x0000000001390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\15-2.bmp

MD5 d92102d6a2440521043cf675e12cf69c
SHA1 d652bba4134dd9bc5d47422c29c7a4e9cbbc4cb3
SHA256 85fba5bea5738ae5171a5807263d99ebb392719cc93dc0e10c12174bb974fbdb
SHA512 0f77ea43d1f04133ac6b6f57edafa8c8d88bb257a231e32e4563e9ff53a389f08e0479a4c8dd912509849371463181df1b1cd0367ffba35af05d5edfc7d97728

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\15-1.bmp

MD5 89cca5171e13d2502449433ce4b5d3fb
SHA1 0cca8a5c6578731760340cd017af3d4576c3301a
SHA256 fe17efd8e710e268b0b9c7374346e10c0e1f72927b3016c42a911d4c67e89439
SHA512 23a2d50ca72ec07d07d8b9e432d5228b84c4c94e29103d1cd8ec3856406541433e5b9efafe0c41d1e286d0372f3127b5ce709bef5a9efaa9c2f5fbb93bd39c79

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\17-1.bmp

MD5 04a1525dd639c4484c7626dfa814d155
SHA1 ddd779be16a7b61450595ea34f34ef9b630ae408
SHA256 de0640c44d43a43d2726e22ef87e80d9a571fa5b1682fd743f4be395526b6fa9
SHA512 17832b959d0d346252a6d56587cae2aa43d79e9de81ff2f39913fa31f6e6607eba029cef9df3bf921a48de32ce5a7d79da272dc969f02d27a2fdea899de9b669

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\21-2.bmp

MD5 27cac6425effcab20d8dc7d4e586994c
SHA1 5d693a26ccf51c2960d6e7655a267f1644dc2711
SHA256 ed1793a63a1a8629a941288cdd6a08b2f2ea5e08fae014ff96390fc04d9e8da2
SHA512 efed90384473e3073d78f455bffd2c099c3bbd61694070fb846d7a4f1314e899a2210a4d0ad80990b08cd0588009ac8cf2be771a60a446674fd60ae6285f71e4

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\21-1.bmp

MD5 9addff95503bb3b77cec606a792b7743
SHA1 d7b091c161f3ab2a84fe5bcfb2d523491b6f34f2
SHA256 de3d69c9da80d614dcf1b88e70f0fd370a70baa92d025b878f38cc2c9cec5899
SHA512 63a5089986171a12d2bf19af11603d878ddf2b27132f434655ee08c7f6e3535cd8c9a143869c0d2af597b4eca0a02ab900c7baa33b34bfd9ace817112f893160

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\17-2.bmp

MD5 97a2b98d6d4296b08deb1b6b27901a4f
SHA1 63ce9dbed54795acffd5eaa0c8b4f7381aa180da
SHA256 c267701bfc6b785772abee5ac8eb83fb2c13c09385a2a2c4a1cd451a67e9cb96
SHA512 35a6ced7ab8b7b244b71e80b7a41ba86b03e846547cc18faa66ac52e613ae13d214e72995bc85654e22e86f02d905f7d59dceb419dd8d079e3c1386686f340af

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\BACK6.jpg

MD5 f1d3421aa3bcc89dda15a421aba74562
SHA1 7ab470c97f2ec29aaf37dee8dc4b4a6c6b123c3b
SHA256 0f46e2389bd5c4f1871e3751a280d24b8434d3a56af29d5cc50a2260202684dc
SHA512 ad42b368c11f70da615482a7f8d7e2ad18489869f69a32b30fa7911a1a90fada5af962aad4770781a7ff38c20096975164046874129bccd8f6ee63a8d8d248fa

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB5.png

MD5 eea2b9b038cf28617fa513ff9a567c9c
SHA1 265a8209bcaf9e085970f24da595839b3efc27f5
SHA256 a25b00803c986229355bafa9b6f89265e33629e571a589987c76bc3556377a85
SHA512 b9b45e340e29359e7726e83c1a976c73727dd4f8842d0594c2ed70519cc8a3c5f1deafb49a09c4e0b5d315e6a74582d670a7486ab3fb23506ddf3e09f6956503

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB4.png

MD5 abcffa915c0d2ab37a25701015af7db2
SHA1 00375c3460cb38e97f8c5a50b980095e952c3276
SHA256 50b3a682102c909638de843c96da643705b520dc6f4bfd025b6cae1b6dd94fb8
SHA512 9bb880e8773571b8160ea64b87ec77f4cd393dcedd2ac8943e0d28d3f9d2204f77208e938ce37ccd4db6c469406cdaf4f02afde0ab86af1df4d39723bdc8923f

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB3.png

MD5 349a516c6192bd7086699c2138c64974
SHA1 2cd3c37232b417ddddf5520a8f4b813844eb5317
SHA256 1e4085568a73918ccd812cf063153d9ab57a410be269afa8c068b9e3af2167f1
SHA512 ae5922ca3081f7c32d5f7de89fb6c0ee90f64cf6a051fb1e3a8ae08d7a3226380934f07852b9eb153d99c886613ffe492558482d23d985eb9722a2f5e9105891

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\logo.png

MD5 f4f6d33bdc7fcad1834d65256467113c
SHA1 33dfe0827a4e532d69a33d30e7836c6c9fead2f3
SHA256 375b10e59eb36efb92c424b9a3983cb34bb5ed9be8056960fd78f1cc292f04c9
SHA512 167df406ab3d39b8fdf5cb78e090dd4198db2809180930ba481e42e9d2987d1c6090e525c217f8e6be057b493cf229398eb710ef3814d511bef8a1913cdfb5ff

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB2.png

MD5 03ad4bda93caa1fbfdf7f7708959805e
SHA1 3edd4b724f10bd0d030671673d28ba4c18cc2267
SHA256 3b6c31ebc247f6dae88356c297b44b49f741f6e2ace452097c961e9fb4db52fd
SHA512 9aa7a23338529b8c539bbf0ac3ba613c5ded41378ae1fb76fedf71ba203f5466820baf76be923b6603ed8fde8d5928945f7c468d988a403c55dc48d8053b4bed

C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\pic\TAB1.png

MD5 6f37d8cbc242acdb504a9e05c93c7627
SHA1 98ef8c8485bd48b0cdf20ea96b9352b14abf7890
SHA256 b4d7f989ad093fad070548da06b5beeb7e9b8c465cc58221077e3cfc5aba861f
SHA512 2a26c0dcbf6a2083ded59da38fa511d23f82b9152e3329e211c5f8aff73522e00c8f77f3424e8097478970b718ef1b873d9dadaf3fafc2fc4051497dcc0aac93

memory/4300-305-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-306-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4352-307-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-308-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-309-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-310-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-311-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-312-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-313-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-314-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-315-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-316-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-317-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-318-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-319-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-320-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-321-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-322-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-323-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-324-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-325-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-326-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-327-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-328-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-329-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-330-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-331-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp

memory/4300-332-0x0000000000B20000-0x0000000001390000-memory.dmp

memory/4352-333-0x00007FF7B65F0000-0x00007FF7B68B3000-memory.dmp