ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe
Drops file in Drivers directory 1 IoCs

Processes:

Wave Goodbye.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2136-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2136-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2136-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2136-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2136-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2136-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2136-113-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2136-523-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

16 discord.com
17 discord.com
18 discord.com
19 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wave Goodbye.exe

pid process

2136 Wave Goodbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

flow	ioc
16	discord.com
17	discord.com
18	discord.com
19	discord.com

pid	process
2136	Wave Goodbye.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01f258781cada01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000744d3a0286c8f72f0d8b816786a9af047330271899b2985f6a83d907b93f793f000000000e8000000002000020000000669f0e2f5a2701a0de98c73165315e3530f8639981dcf778a01aa112716850b69000000090d26a32a77334e48acd2cbf6dc6f3580a1bcadb46bf33fe6e427fdf37db5be76e0ea23956b6b6cc6ed22d6d85f913686e8a34c279373bf671707679f220a403dd865f55a177f3ae5bdf5ab40d2172161bbd9ba8c70576ad0dd39788e42c14fd981955098d4a8d17248396a842e8268924d6db02980a334b8c3962a3d413956310f6cb3616b34cc58de08639c57bb1fb4000000091aa56a0201c3292aa7955956dfaf4627cb4daab9115d00f5ab99eac814f398e09c013dd2a39fba2cb4bd47d7e7672530b5de85c0459ea8cac3ebbcb8d3a4681	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B19BD9B1-3674-11EF-BEDB-DEDD52EED8E0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb810000000002000000000010660000000100002000000054f6a80371936c8d43a28b559bad052fc6629ac2efb5acb6181aec01220a908e000000000e8000000002000020000000beef0289086a1cb05d794c9be4acfb12c29a5a65736844f75d3df110fa2e42df200000005389b8f298c2cdcdd4d1fa32dcd25ae6e27213925e7607ea327621a2cf93c44440000000b73fe115388f8cd07f9cdc19ee05c46cec1dc12a253528963545267e2c0265fa351db1bc9af02c162331c7f5af82f813e8c502884462bafed95b0ac33c57b3c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wave Goodbye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	Wave Goodbye.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d	Wave Goodbye.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2088 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2088 iexplore.exe
2088 iexplore.exe
2756 IEXPLORE.EXE
2756 IEXPLORE.EXE
2756 IEXPLORE.EXE
2756 IEXPLORE.EXE

pid	process
2088	iexplore.exe

pid	process
2088	iexplore.exe
2088	iexplore.exe
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Wave Goodbye.exeiexplore.exe

description	pid	process	target process
PID 2136 wrote to memory of 2088	2136	Wave Goodbye.exe	iexplore.exe
PID 2136 wrote to memory of 2088	2136	Wave Goodbye.exe	iexplore.exe
PID 2136 wrote to memory of 2088	2136	Wave Goodbye.exe	iexplore.exe
PID 2088 wrote to memory of 2756	2088	iexplore.exe	IEXPLORE.EXE
PID 2088 wrote to memory of 2756	2088	iexplore.exe	IEXPLORE.EXE
PID 2088 wrote to memory of 2756	2088	iexplore.exe	IEXPLORE.EXE
PID 2088 wrote to memory of 2756	2088	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/6NNYUEXAR2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ce052b2ea1634e569a2fb0eb248e9aba

SHA1
400d19241e4a2655bfba559456d32c3f6f1e4de3

SHA256
4cab104013bae3b41140dd61e31edf7df16c3c4d888ecb04065ab4e9f38d4e98

SHA512
54f7548ccd22334f61f0884ed9966bd4e28556b50a9d18312bc93a3679ac0ac766e9309dd3f90d1bdabd437488c50f54496cdcdad9d0b522ef887595da6bf21b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b2e31706e972ffb9b69228b3251c5164

SHA1
a569f14512ceb6fcf28da9f8b2da761b792fc818

SHA256
411f7db30b0bd92fafb60d2fd4cee1d5368ad5947d15a00582a91cfda8128a44

SHA512
c09dc0d28d227d30b6901bdaccf76424e56de9d4c183a73a2a3ad216c2e84b902bfe72eef773fc265cdb795b4b73533a00fe89bfe721ba0189e3e99062c5b9e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1a80fdaa14444821e89ca98c43627c9e

SHA1
9da2de9bb30cd14ae6d67ff1c0a423a621921683

SHA256
e3f3be7cbca8177edb8045e7aa87a41bf35f3f5f52a5061320b9f30ebb0a0e04

SHA512
f9e0b1b917890769b8a24b68af6d046ceb5f79cb05c3e52e871753cef1afc0e796335119dfe8e1ee15063e484676297896f4bbab6bfd506eaec363ed476ec5df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fd1471e0ae18d092adc58098a515bc6d

SHA1
2dcc0e959e5ffb5316ad04ace17f908404ce1cef

SHA256
fa8098b035f4a452b598212267085e47aeaae60d83c2a1b9e5e23d91258ab035

SHA512
db5e171aac355e0c2fb599bf58d37dfbe8d71c2846d8d7dfc142c97e1b2731b5fee698c6c0793a80ddbb1a3c6632189760b8ea345fb6f8b9819ca4089a1035dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c43bbaf3489ae9b0adb7753d3eb46132

SHA1
cc7d6eb63ce114c3f5b6cbf1f40c6486b01caba0

SHA256
6aadfb0bef18adaa93e3ab5de91389f1f1b0129f3a8d6360e5492eb39737db25

SHA512
f598755d8029decf3175e07cf1c4e5fb9563c0904c174024976a59f5ccd56c7206aeea774bf7f5ea0872e72c1772cdc94314ad716109aa3ff0acb794e5350804

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5c368de9a583287020ff22d1bea14b0e

SHA1
2e0dc90bfc8c318ffe6f67e1ea1b8ae258d42f7b

SHA256
52ec2c45033af4cb502e1f050fa886cd5e4dd33a9fc29b3fa7bdb757358ffcef

SHA512
11afe5dc25a7cf2fda359a240f7a9b24ef3bcbf864ca3cd51ea92d3940dc9a481ab51db85025b39c7d38f28f2ae5ea3a2e0be3d7b08c0ae15ac6e2da68e71765

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2a07b34c95ef339d526a51c43064b90a

SHA1
8e5e486673840d1d5c7ada2303ceb91794b212ae

SHA256
67c1be425bf6e712c006be483860dcb006bac53063e018788eee7a29b6eda253

SHA512
dd4e26a33046ec5be6589d7680710da6d1c9afa77833e5ed8d9e219830c1e9454ba9cdf8557f1b423e414d8afa19f26cc73935b8955e9be41ae020d6d43a8afb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2af7476fdc4e8f2a96f122fe2bf58ffe

SHA1
c624eb184a863da50afaab0cee695314ac713a8e

SHA256
0be1fb1bd1b2d5f1feb145c5e6a6dda9ca3f125c7f3f04be76220f2b3dd492e9

SHA512
2df997a304a23b600ae2cc0c6b0e4a6b1b7fdc8db3821e635bb4b25275f176dc137bdfcda6bd2f1a1bfa989ee2f908d8c346e6adc67097526ccb15489295ec85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fce7035af0023d0da04138c0d04c6047

SHA1
cc9e0f7a9fd5cbb725d58b9729072af2333edad0

SHA256
6cb0406732035a700b28c2de76a62866466ac198c7c43cb05e959061092270cd

SHA512
9509d62f2bb3afaae0a84606625050b143fac565f394abcbab5a3c672dcbafbde6a5239b02eadb08408b945665ba42c760e7f6f9431c4b4a58f88601b9dbf96d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
906d64b7dfe0dd447cdf75d311d1b357

SHA1
5d58de2fd43e711752b7489fbe41f9d4e12d7e61

SHA256
e17c574b3f33c5ec15907c7e4f21917d455c082b765e9dd53cf82695d0a7c271

SHA512
e86cefb13c2c4382288556da21f1a7a45e99fe60d40e024c456ebcd69b27452ebb682668f6b9ec4282fcd28c67e7ec9582ca20d334766ab107ad09b6ce336a18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8854ddb992673b69d47ff74d25ce5a8b

SHA1
8c7fe1167fcb554da61b91bcb840af920713aa91

SHA256
922d0e1c983034830a12bb9349e13d4dd266612fcb99a2e72767187e0a5ca283

SHA512
e80283e3312a0d380c8f446dc3b42bc812f40fb94937687cb91b65805815abeb3f556cbc15928ed4b39fa5281eacc4a42cad28f5248404600e6a4ab8173d5f73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9604f18ebe04d7bccc3357658b481e11

SHA1
36df4174272ac5cf1cb3281984deda7144d9c05d

SHA256
9b95ff2341e2f87a7cbfd8e4730b524de613c9800002660428a8eaa2b0cd151c

SHA512
75532c2fb32ffcfd2f2d4a108114f4a8521b0999e287d569b01f7eca695e659ab7471df7452cbbd46451dd4b26c71904b8ccc5c21d3175cae703e092ad6d2eb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
195a3d5fbbaffdce2f5aaefd8bc4d8e5

SHA1
4a24a75179fa98a9534aaa3a4cc7409c8cf70e09

SHA256
3545a289dce1ce21b488a1471b5f1b4ee84dc1aa7761c8837cc69963cd330556

SHA512
8a2a735368d660c11f626ba444eca09bf657385b1f4c464d343f66a3eb8bc04d3c3096cb0a7e10a18560d7083c0ae21c3de1aea080f7c2afa41fa53360428a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\leccqyn\imagestore.dat
Filesize
24KB

MD5
be4e595e0238e1189b0717d4a5b186bf

SHA1
64c20ddc593f09355a3386c51b1ab345b942dc6a

SHA256
3ce9823117ee0971b6bbd13e692e64998469f67bce9a7350ee3f0b7725573801

SHA512
3f9e185b4838685f4492f6730fca2d8cffe8c818ccd79a68c9f9313dc759ed3411cc20f0dc0e37be193895f70231143a2ff2a5c4da1228f687a15f590634c7ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6F0O117Z\favicon[2].ico
Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24B2.tmp
Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2574.tmp
Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF8E85FCCC7C23DB4B.TMP
Filesize
16KB

MD5
f2ca1bee3fb07ba42578c11711268391

SHA1
e07cdaf9bd267085bf8366a8d4bfdbfa8ac9af9e

SHA256
5cb607bacb662ae09fd96b81e1d9c4f2db385c5943b29cd9aa726d132df0dc60

SHA512
40c148035eeef467672f2a478620df23f7e81145dc4a9f095b9de36aadaa9c86ade4b830476c56f8c1eba70884a69c09088a3d9a209414ce6b8d045af05c8744

Download Submit
memory/2136-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2136-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2136-113-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2136-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2136-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2136-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2136-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2136-1-0x0000000076FB0000-0x0000000076FB2000-memory.dmp

Filesize
8KB

Download
memory/2136-523-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download