ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
141s
max time network
135s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe
Drops file in Drivers directory 1 IoCs

Processes:

Wave Goodbye.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1216-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-110-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-604-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-605-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-606-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-607-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-608-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-609-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-610-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-1155-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-1156-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-1157-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-1158-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-1159-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-1160-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1216-1161-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

17 discord.com
18 discord.com
15 discord.com
16 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wave Goodbye.exe

pid process

1216 Wave Goodbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

flow	ioc
17	discord.com
18	discord.com
15	discord.com
16	discord.com

pid	process
1216	Wave Goodbye.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000008546daa4dd73d6d823d7e177ce0e692ac189f359408adef8712b16f64d4327f6000000000e8000000002000020000000b2c714458e3cb7d9c9894929e38f8eaee73cdf89b093d0e17e6628e678546e90900000003952907b8fdc87ffa3d856dc51c3539e17b8cc66a97695b18797e07a31599db450b1fbb387a6c3fa716f6f74aadf4d35ce81640bed70528873e7ef327ee83e5b1d51a502132f111fb13d92f504e14beffbb323cd501612f77395fba938b9bd6a60a80823cee57e4813ee480fde5087b3a4fae697f422d19a39d3cbfb58a40956bc521f40daa24fb3d7c839448f61005e40000000399b34506951f3b4c001267f7b86309f890f77047af0e813c6a2367a22e2a3441081eaba2978cc2b2acbd485a223c671862bf3f6b86059c32ae69bc76b52b68f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000002d6eeafb144aca37fda7fc3544cefefa69e41b345be458d6d01024f52a63a5e1000000000e80000000020000200000000d1c175ce713508f80aa9ad742f54badf730512f7962b5618e9c3716c9b83d262000000024e4df49997bbd30133814efcbd0a134d01b7b9d5151b6f6ba25b70836dca382400000009a14dc7789dc63747a3b7822f8b5e013d56931b4bc4e933555b36f56e44617fc684aaecea32cbabac01fe49b1387a0fdb009439a495ccd170f58e302220875e2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425862152"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{518AF7C1-3667-11EF-A233-7678A7DAE141} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603f782774cada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wave Goodbye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	Wave Goodbye.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d	Wave Goodbye.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1708 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1708 iexplore.exe
1708 iexplore.exe
2740 IEXPLORE.EXE
2740 IEXPLORE.EXE

pid	process
1708	iexplore.exe

pid	process
1708	iexplore.exe
1708	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Wave Goodbye.exeiexplore.exe

description	pid	process	target process
PID 1216 wrote to memory of 1708	1216	Wave Goodbye.exe	iexplore.exe
PID 1216 wrote to memory of 1708	1216	Wave Goodbye.exe	iexplore.exe
PID 1216 wrote to memory of 1708	1216	Wave Goodbye.exe	iexplore.exe
PID 1708 wrote to memory of 2740	1708	iexplore.exe	IEXPLORE.EXE
PID 1708 wrote to memory of 2740	1708	iexplore.exe	IEXPLORE.EXE
PID 1708 wrote to memory of 2740	1708	iexplore.exe	IEXPLORE.EXE
PID 1708 wrote to memory of 2740	1708	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/6NNYUEXAR2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
3f415674aaf480cc5b81ee559e245d58

SHA1
300d98a88daddc87cf58df28b6dab58888930668

SHA256
f2cb7ba948420523ff368ccbd1ca903d1f3696810796cffef731c4656faa0e6a

SHA512
29ca3c19ba020729867d44d7bbeae92603fd138fb9462b05bbbd043b7691c0cf9061aeac3e6a1e2cd0e30a9ea958d90ddeb986969e650a1b8fb9d962101b8a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
773585a556d9beb77c0788e0ab0cf7a9

SHA1
07b5d228ca2cdc49395af5bdaefc0b83aeb40a21

SHA256
1a5634073ef8afe7dab3f68b1f2167aeefab192e919006129ced7d090c622776

SHA512
ab8ca805e1dda813eebcde2677b960238be606802754860e56dfadd6ffaaed652b041fb96c78a94f073cac81dc2c0ca1fa2758120d1f2e4a6867ba0a6d3a2847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
82e43b9ae16df705436668a7eb151642

SHA1
123ad9158d898e8c1ebd0759dcf0c2098b66c9a2

SHA256
aa890da438f38613dabc3b40a26163edca4c601a722aad873ecf80a177e2e00e

SHA512
270b6e7329fbff45a5890183221e1be642bc0c8d535bc8b88fdef51fdea1ae759974ce75a1583abbfe187f97fd076b0d1539678a36eb987aa2fdd8522fd80811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6872ef2e7a9ef4817bd899ee6325035e

SHA1
cd97da94ab9323a17740c1865d709bcbfa330bdb

SHA256
dace918d0d8b5e7a7d0bc5f806679df831e9f8dc50b0564aa6ddd873d2fdde08

SHA512
02e7f58e3151a289a77e61a0a4df98144281f075ca6e70a6e646c32ca0d819c419d58d527ddd1cc2a174ab217f194b46efb2f6f9b0fde7b0e9b666238b73d02d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b1a30b8c48fb198e0b4c58a68f23ee9f

SHA1
84f4d0989e24e3e19f2ed91f2ee88ff569c277c0

SHA256
ad1251be8e1fadeadaede1f7d32c21389b8450253a1af3a837227641822cf613

SHA512
f2b7981b09ff30fb911e020f67827e0a01804bcffe434bbd8bd6cbadb0a0fc048f1ae44f0e15d35374fd2366bbad5b42eaca4ef2045f6771ff66e8614b8b1f08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4929f9a60945ba9a6d8521989a2def2d

SHA1
81d6434cec42c7584ecc47bcebd58ba43c07d32b

SHA256
22836a04c33b5ca218ea098dcd7d7a2daddcac1945d9dd69403ad2909d1a3157

SHA512
2e70506e063395094b67fd8798b3422e9d1516ab7d368f43b74262730eaf48296f7cf5a1e5ffdeec00e6ad0b195c90931c073b2a857d6f24c1c32ab89cc92901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f6a463baf2a6f3d5dea4c05a1683b025

SHA1
e57072adafb64238af8c62cf6d98a61fdf5b8ea1

SHA256
d402069d04ac1bde3e816e9333a43949205471f7204f1272ac747b67f5384fa7

SHA512
8e4a426bb1248fe94aeecc85c857b4c983803c301ab6b1b1fabc794bc3ddc52d3eb057c191f80c53a5ad00e84f1d0c9d753070d071ed65cbd6124008f3aa50c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0b3951c64eaa3d268a916f6541e7d102

SHA1
2073967ec68369b02925a3ad60fd3af033d06dfc

SHA256
871acd3d7d242acc92841075a6c203a803179826a0a10f9cd146020e2fc358e0

SHA512
39b70e39c1bdd2630c60a45cf864d3dacf66c3c04b653b200a40c0e60f19648cf28a1881df7376ef449af726baac5ecd077ca680dcbb4d5d30af2d7db2869202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5911d6434407b5dd87ae4c9cba11957d

SHA1
2f0d6371bb6c6eccb75516836b0b4a81b87cc135

SHA256
38e0a82fa1b6d6531e1f07f543de544eeaee6a438e0a3f8ff1fefd0147d4ef44

SHA512
01d497596a371c67136922b247a4d0e43989242fa0cc023b9d25aed89c6e7eda5fdc33d7814d9beaa1c8935723dd001e99d4c3ead8121a3c0e85a7845a3bd6b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b54ba20a6f48971c29423f8e5c33f780

SHA1
1bdb24416cea2583170df6d9b3d2739defcde1b7

SHA256
5d6e5f89373040e66ea81ca0d2454a0962ee9c110b6e1bda34d272ebbecad190

SHA512
c4b19bfe58cf91b493f0e9f2a59a512d152dd11da94da3696d89e58b48e0fabc026e0053f7e82d39b30137d240f4c64eb67732e48fb933c27902c6bcc31efcff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
533191daf053b4cbca3bcc6a14d74018

SHA1
69bf205920e6bc58ca0c820d9e1f3df699f6f016

SHA256
af9ab1937f6c9c74afddf440d06c16b6bfac9a0aea7e1ec7f76abc5fb1861105

SHA512
0d8f99cefb16e2e2b8b3b37ee07c16948bb3f04833fcc619a26fdcb79836d09df93094c89d15cb626a813f52eb5d362c1f7115eb391cb60cd765b1b6e575b3ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1cda0b9d94816a4b59138afab3aacf68

SHA1
959836018b96c532706e403fe4740f55c4811785

SHA256
8319c87e1d35047efcb9438383c9544630fe496c948cf9c1edb1d5c3af7f5132

SHA512
e0b726833ff34c491cea5af59e998e1b1607fe67f29ba09f3fa5ec001ac35bcee4b94f9da7e0528bc2347a9f50bd22f1dfbd49f4537e47055958d19348596126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fd0b29cb3aeb6cbb02b5d3c22af1e0f1

SHA1
f915f83a472c29b44c2eb5b0b8cc89f1b95155fd

SHA256
d6195d9f8f65ed9d5dd774e31ded44b9d9d6e38470a7f15bf6b3fce205988612

SHA512
1326e55aed08d84d40b6204ba681c2416c4744490fcab074806811740ce3b7e04cb2461517f265eb0002cb98dafa0ac23976f4c671ee0eb7b39141f77fcdfb74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
79ccb6ab0b5ffb3b3e49a1d0d8ece13a

SHA1
2edd872c52feda339df776c804bc607e1a3ba63e

SHA256
c0303c8cce175b3d8001cf6eed9b118a4ea450a77a81d7f6a28aef84cb353636

SHA512
7df10027acd4b07e752640af560a196b3365379a1c93be3ddb4f454c1ddd4765f2fc5765644ce4252432454cbfce7b2ee2b442a23d8cbf3fd8453866786e52f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
47a078af464dec2c63289d70fc7a118e

SHA1
a56baaf20d71882cfaf1302d8f0cdfcd7b9116c1

SHA256
4fe00bff85e33fe65d47705d17dec789083bcfc854ae6a09742dcd08e57544f6

SHA512
e5c380f550ea398534a9892b3b35912127df9c2c14bd233ae756c4ef7978a01342c2dfc9c28d0863a22fa8f552b20c6aefb1314195427f296c2c74cd4b367cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
14859194b29da18b664dd08623310f18

SHA1
53ab6d24dbf4674b12f2fb014afbc01f1e96d537

SHA256
869769dbaacc6f83fdc5f6d827e5a203f6ef05c4902aac6204c534d9d38a4d98

SHA512
547e754973a973c513407181260b034d85cf106f4deebdc056e407d45f91c0df4d25cd8a01df3c2c7623292dcbc1f13b2e4b4de5f4fd630b5e154317ac93313a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
50717077b2d03884381203da7c923de9

SHA1
f6a8609daf9e66408850fe52659a66f56bf0093a

SHA256
ac1fa78366d7d262acd7eaadf9a9e0467ec55eb846d78f9c402284e55f76435f

SHA512
987bcc2a50802e97a30b91ad7c2904ac6210028eb915b71273d67b1faacc861b9ba50b8910d3fbf1a5bd9ec5289ff8b6975b92884c2e91d4af8e8e299e846cda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
706c8bf1e19ec0e2961583fae96ecf16

SHA1
e3bfdf387030672150d6fd8378fab0e389092df0

SHA256
ad8e7a82f1bd18296f79698feca2c0b9bfaf5d0209357d91d4548cb285b62dfd

SHA512
08833f9327bf6cc733348f59a7e7ea1f7f520f35bc63196ed05989c598673438a1ce1f6625197af783741796cc3417867f1e868ff53d2d1da650f228421762c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f9ca539e82d7b720defad6183d4e1a5f

SHA1
45a1863b7b9526aa42ef237454cd4d9a185e1a5c

SHA256
911d8c579c19c6187567d9eeb63042476d45aee04a4a182e26e30a2054e3456c

SHA512
9035e009dc32c32488a6af52391dc60329bf7e3084ad6a80772cd9ba133349bbefb1f6d4f2cfcb08abef4f9acec39f3ade9d46984376516553432f34e92ce9ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c4e03c0de7c45fe612a538a0db1c3f77

SHA1
d31111fa1f77779df181983cadeee9638736c5ff

SHA256
46bb22b268ce347ec7ed376b019ee1b4c2b1edbf4456f9682b46153b6ab659f9

SHA512
7ae61cfda3994eae9373b871c1fabb6c1af7d4e442d4dbf3b4dfc5fc53d7b3f05848f288f1f53f69847c61d7c65af7f51894ac8d92254a17b199eb9b64f002b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
5ce26a7ca9f0fc29e4e385f288f890cd

SHA1
c44129d364f9ce5fb090f6e48d852dd95d1c722e

SHA256
8ecf64dc40e1091a446b23b5548378ee0994c753ba7840d9c7aa07d1cce677ba

SHA512
f54320ebc8d6f12e1d0053a1a1bfcc628c9dd40e6578cbea580111cbd13566976b174f9123d9f4c81ef730b21acfb04e675ad77c9334d2183ce842ece74436c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6y0a2v0\imagestore.dat
Filesize
24KB

MD5
5fc5244f77f1b63e67492d5c6329aae9

SHA1
2881b1e6b0dde9d57a3e89bbe86df62c9f3c8c9f

SHA256
b295da9983c4c37ccf6def8e37119d52b2e16a6da1a57796621b910e50aef56c

SHA512
c9cf971e2290cebb5e2ea82f2d55b425b69cc0fa67654d1dcc0d0bfd2a8fb62af56e45a9cffc2b9d5b7ad3bf682e83ea28ec20fdddfab77d5743b91711958abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IW68H88T\favicon[2].ico
Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F89.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5065.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5099.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1216-609-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-605-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-606-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-607-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-608-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-610-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-604-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-110-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-1-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

Filesize
8KB

Download
memory/1216-1155-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-1156-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-1157-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-1158-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-1159-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-1160-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1216-1161-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download