ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
843s
max time network
849s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe
Drops file in Drivers directory 1 IoCs

Processes:

Wave Goodbye.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2072-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-122-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-552-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-553-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-554-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-555-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-1006-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-1012-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-1013-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2072-1014-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

16 discord.com
17 discord.com
18 discord.com
19 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wave Goodbye.exe

pid process

2072 Wave Goodbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

flow	ioc
16	discord.com
17	discord.com
18	discord.com
19	discord.com

pid	process
2072	Wave Goodbye.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000001c24967ef3e42726d42e5bc13a895d2490195f0b8cc9ad1f0f5fb78eef328dd000000000e80000000020000200000009702d7fc6aaae6d18ebf794058bf51757a6b7a04cea660dd79817204b6b0669d20000000c9e23752bf9278860012dce336ec31335f87658f56cb2fc686b6115fe92399f840000000bce8f548896202a2cf5026e3d497c3303d7643cdbac1bee5000440731d8584320866323bda63dee6a29fe90a434d8e4580442cf445bf49e30c2e212cc95cff31	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07f776874cada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425862262"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{91F92391-3667-11EF-B848-DEDD52EED8E0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000575bf4a50eea87a9cc088b611f65470ba72429e9ae4249793ecfe46dfe3b5176000000000e80000000020000200000006341f5d50ffc170ee205081dd8d21720eda7fda56ed580f257cc10034bf52e9d90000000d20d322189545bae44d1cbecddeac8d40663fd4c0368538c4de16f03e6c28405c49de66752f09c1464173f92612f0ac701570594de7906973f0b162a68e4b7c0fecd094bb90a01a199884766269e4f3776f34aa6a0494cd74c99f8c66f1a6a5839ae0b71a9830ff327050c5e84042bcf86b26575844fed6c47f85ae10cf3be8ba0be01877d5b12bd614a376a1f50d02640000000b0da4835bea4a4e24a9094c643b2ec832e5e8a3ea9ea9966e2fdf7e7e29342f4aa539de8f1773216c53b647ca9874516fb2ed5079dd111a00b1cd7bf28bf397e	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wave Goodbye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	Wave Goodbye.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d	Wave Goodbye.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 860 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 860 AUDIODG.EXE
Token: 33 860 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 860 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2128 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2128 iexplore.exe
2128 iexplore.exe
2880 IEXPLORE.EXE
2880 IEXPLORE.EXE
2880 IEXPLORE.EXE
2880 IEXPLORE.EXE
2128 iexplore.exe

description	pid	process
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE

pid	process
2128	iexplore.exe

pid	process
2128	iexplore.exe
2128	iexplore.exe
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2128	iexplore.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Wave Goodbye.exeiexplore.exe

description	pid	process	target process
PID 2072 wrote to memory of 2128	2072	Wave Goodbye.exe	iexplore.exe
PID 2072 wrote to memory of 2128	2072	Wave Goodbye.exe	iexplore.exe
PID 2072 wrote to memory of 2128	2072	Wave Goodbye.exe	iexplore.exe
PID 2128 wrote to memory of 2880	2128	iexplore.exe	IEXPLORE.EXE
PID 2128 wrote to memory of 2880	2128	iexplore.exe	IEXPLORE.EXE
PID 2128 wrote to memory of 2880	2128	iexplore.exe	IEXPLORE.EXE
PID 2128 wrote to memory of 2880	2128	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/6NNYUEXAR2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
699c8538295f5e7e372564271f6288b4

SHA1
e05e9e33b843b63ea3e4c8daf2322dc76aaec87a

SHA256
c0dec293d7a9b889992be4dba10d7177da2ef95095cfff9c1b44c624aed67088

SHA512
b79bccadc1dd5748bc2ed7e2984172c9bb0b77cff9166aa4e1760c051291a25777828b7f39e7d2630d3f5afccb01e71ac578a0678b61bf29825428a12a63bae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
07768ab43db8343186dee8edd60a5e80

SHA1
c5090de140181de76c2737981f2edcf6f3db1ec9

SHA256
5e13d4f63bb4cb87e2fd7647f185b5477d83b6b1b00f72366e0d18ff71d811b4

SHA512
a3b50784304f2f41a97a7836dcc450fe509304e603ba17dedd374f6efed3473c7d10d31f4e86f4e2358013f1efbf3fbe66ff1704d186fab351647191deec01fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
093b002e785d9658a06e053a6f75f7b1

SHA1
3e8b569fc2ace380e81d487250840bbaf6d1674c

SHA256
2754bf435e22167be99e1371e23bf26188ae40ed7e82c3cfbcc52bc644e597c0

SHA512
83bf79d6001a9d39d5c3a10ea9063ae430bc06a737744d9e2f0fce404e55c8323dbf4f326ad61924cf4fc51cbc29e5b8e039160b068f2e9271cb865e137c1285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
24ec24113e5bd22175cbf132c2118738

SHA1
06f1064a5358ad401caaea077d8c9c11db008b79

SHA256
afe83e0a4476553619537065c2cbd95357b6e6b5f0c91cd840cf0d3e84f6b6d2

SHA512
439062b92f7144e9c55cd4f59454938c20874743317cedb91db99d66445d4184eb36392129097e66082d5b5512fc0b51b1551b65a21945e2420b24271669a476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ef0d44046e9b09191a8102c79458443e

SHA1
a86991d598f53e0b55c71c72ec51e21d691d7ba2

SHA256
40c961db48d1c75bd5616ff2fdfadfb237311beeb51d30b0c21321a1271bdf8f

SHA512
f6e966c881a01fca6ea7f67d7146b257756310706dc6e1b51a9c9feb64d35d925dd12d676e68378e84d2ee43e2efc9c7ae26bbcddb4b11dedc30da923b90cd92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bb61c227f1e3ba91e7fb5f6a5aed3d56

SHA1
c1bcd827d8455b22f186a2ad3a93b48838ffbb45

SHA256
387578ae833425da602dc500f6874080e958b0f5a258f3db4e0d4ee95ad817cb

SHA512
d296acfe70b7608f3caee6bf64bf83993c5e5acad8d13041963c185a370db12fb6fc56e526d0b750ee686f4f96249e1b4791f93e680e13fcc19b79eecb1b5276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f3e4c7fa2d5ae204b368f6ea16702996

SHA1
447d24e1f6b8eeca01b0d81b79dc6ef5549d4517

SHA256
2f2be455df07294b0a76c1374e84a2bfc796d5ece9c2bcc0013ad39bfce9d042

SHA512
0ae64b11e0a7abb160bf5b8d9759fbcbcd7ae853ac9a7f6dab22c83eb8e87cbc910325de1169192c694f37bf2412a0dea35e595226ce356871724a4d70c87758

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1d7a4df4274191d8664438060f26b7d9

SHA1
a2fca3baf2d19da40777b59a6e72ae6d62ed94c8

SHA256
d0595c807419f5ca2c23890bab8752cac23fbefffda9b7d3f4c863259bb85d68

SHA512
e5d797390df5d16705c1fdcf6e56e21ea1ffcdc327b5cebc3af6e9118d0fe21134179c65729125cee3f921bb7381d9850d44a4bb80eecf092bc180de7c3d4461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1ff83bb68920a859f21c5fce685a980b

SHA1
4571a1c98a670f016e982f90114a6bb2378e97a3

SHA256
94ff295daa97622f51b2759b978049d4bb1db7162f7df654c2597dc92f95859c

SHA512
b08c6ea6ed33400c75a22cc200d3e79b068bbd2a625fc9741e68ffe7f320c147c40f9caf2ed0ad2d4213a1c3f2c52c4f75a657fdcbb51793e03b45ea2bae3293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
92a5f276045a5a3d3dff56deeb2a2ad1

SHA1
e6b26f103604cd701e613c1c5ff5e427c9671512

SHA256
eb7957d8d2a05fcf15f952eeaa25a9bbb0be7478baa5b3805f7a674ee20559a9

SHA512
86b36b7e391af6e4f490960614d7d072ab65e059deb2ee3d599d27f1ddbdd477dca63763f87a5a813a3cb97ab9c0b88a49ec2dd43a1dc68542d31671df54442e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
feec4735ee72f19610a06df46fe260e7

SHA1
d4b50f7914965cc10ddb310c93f924115b0e2a22

SHA256
b3745b55d3848789d301431fef94d8a2f2c628d0034ce90d7ecaa73a45f733e8

SHA512
9fc319f9661cf4f89da55c70fa42d54572216658a87db7cafce1d702058c990b6b3b7ac65a1e0d587c75f048b259630dc28464dc9cfdbac994d5b92a95c7c7aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
21c44fad46ad10b857d90276af8605a0

SHA1
054772363a4595f8d76e2a0a333cf20d6aca2632

SHA256
a1904b4ae5c46107641af28dc79f96ba56ee38aea44b1972f37dbdbc97b4153f

SHA512
8abb53b6a2acd4e1e57430998e7bb5ef1d7bda8dc024f2bb458b81e709165a66649414c856d91cb81d713b12b60a062f7d261fae6fa15ee6b57aa98f58958323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7969eb9b3eb8ddd5b245a9eb04fd2c70

SHA1
adbfed6598da24ab0669943bad464e794acc6317

SHA256
c1c0232cd65ba15f574fe38d277b0c4901ef01f7890e4ae1bd546773dbd49ac4

SHA512
d1c072c23f301d2937bbe35163cd130f8fdfcd79ad491522815e06540f624bd33e50f91a3208b31dfe7cb39fdca0ae36be2c89fbbee947a3c49e6e996d94d9a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e00b73e4397859b8dd0db0676edcf382

SHA1
350137e4969dce06cc64e98c0c34d819d7ec0e3c

SHA256
58b5e4bcf9314fbd5ff7e6e531cfe78da3b47805b2f20a7e8e7e4f419216a882

SHA512
1fc39b5a5ebf4a49c99e927aaed082cba8850b760cb9c2658340b78181478f06ce08c84ad7923e5c37bb8ea8996ecc6936f76f055d33d4affd9e55aef414ce18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3ff2790ff14456f67eca3a9e99775201

SHA1
6a79295ba72dc5251c234b2a6f346ad1f866e211

SHA256
4f6df54906ed49ffb59079743b4bdd4f72129737daa972915890b163f06cbffa

SHA512
b5b7cfad65ce50e4139895de97bdd1da8e66af6925f3806261ed8a11beadabe86f50b9124d3737a2f86b082551fc0cd3a39b6584c2f9d33791fd3fcfcd6d0c52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6a7206990ea81a34646b6555697b9001

SHA1
2fb57b5cb917328a0c2b9e45411bdd77963c069c

SHA256
fd596f3c793f63d47bb41bca954b901834715d6be593eea82b5d424c504f57ef

SHA512
90643a39d59af2e9aedcb766802ad9f61fe872e82305d91bf8e44e353d9293ede2990103c9a363fc6845b207bfc0b984e8727904a1b3ee0184f336aedaffa667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4d1131440645fed9ae9db96d2f5fed76

SHA1
4f343ea51e03b879673d43b945f7ac8f25afac5f

SHA256
b1864858806707b92d0a2869b8af6d24d05e52b30e4152c4d82d9373e85fe615

SHA512
fcaf01e2336ce2c499aba8b2654abc580c1f2ec3f8592acda6b761f134becdc5bb06456bebd42f28adf37c2b101ee3363bf225ff3e09e18e2867f1a1f81f21ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7bd81028727441951a20623339531e21

SHA1
3a17f3f6338f6bbb1cd830d27e7c36017210c970

SHA256
ad7fc9139c0b87397b9c9f32e611485142d845bb9f12ac8496ea9c1ce4a65e13

SHA512
c7240163b207ae7c53266ed98e6ac3517a4bb657c320662708e3774c9f374afa8f5b17f5a4d3a7467c7479b4180dc4e6439536e704ef88e541a82fce81546272

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
da6978d95272dc38528371b0a3df4fb8

SHA1
418e529d4728f211eb92779ba41f5cd1db28a15a

SHA256
3caaaf8fec68ed4f6cf62e6399c790e15e34d222cdcdc7f7d87244f5306665c3

SHA512
77a8f47bcdeaef0555262ced7e67304025b3e35316d8238c9ee6b6140bfb5a8fd776540a6530aabcf08adec0759fc59e802a0376a450da10c1250bdfa1950d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
004e706366ca04111fd5fb9e3152f08e

SHA1
97508e83744496a8b89cb21a7b5cc327ba9c65e2

SHA256
575edc5dc5dae4fb50cfd4301e18e93a1ecc46b76a934745fd5a6473f8ef48ff

SHA512
53ce4e0ab4d8d3a017a01589d8fc828f3c3f6c1b5a7b3e0405cee42c10eb3f8e221cbec968291d7f1107d05023ebe0696185e2db32b1b20f17de15f485bbacba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
28cc8153c8b2859bdfd8e35780d54277

SHA1
50851896665ffc478195c153d9a441714c028d18

SHA256
ac61e0b5701e943f20edc2b398d621bbc8ff027adb1e16cd911a00c5337cb9d4

SHA512
5dce0146f0aab7116112788063c76a6d57eed91f414a1a9922762f923217aa20ed396ef1979e70b471c3d0f5b00720c9f13e2e28ddfe8dd8a2bbecacd4eb390e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c70czm7\imagestore.dat
Filesize
24KB

MD5
27e8af96d7ce730b72efc2b31958687e

SHA1
1a62c32541624c52849b63ca03271fc516790148

SHA256
cc8b9d9d49b49a7c2f37f76c7d87b96b48618aba59a5ebeaa6a163a00fde3532

SHA512
c10bd7bc61661411a960cac23b5e5041d83561b894b419ded9cc67dd0e566474402ef02e92c8d75d8487bad1b765b7a9e1e2ec84f6bad4027442a3af080fa2ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\favicon[1].ico
Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80E3.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar81A3.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2072-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-554-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-1-0x0000000077440000-0x0000000077442000-memory.dmp

Filesize
8KB

Download
memory/2072-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-555-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-553-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-552-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-122-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-1006-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-1012-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-1013-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2072-1014-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download