ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
142s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1756-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1756-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1756-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1756-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1756-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1756-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/1756-129-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

16 discord.com
17 discord.com
18 discord.com
19 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wave Goodbye.exe

pid process

1756 Wave Goodbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

flow	ioc
16	discord.com
17	discord.com
18	discord.com
19	discord.com

pid	process
1756	Wave Goodbye.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307f754882cada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086f07204f73e7943a4cab70303cb7f600000000002000000000010660000000100002000000037e0d38f496e47c7bbe283628b69daa7982ae9124326ae3c8ddb0007f770512e000000000e8000000002000020000000bf9704c5df83238befdfd1eb8990c758c3daaa80468376f057614665138285389000000014a837eae80be259d9b41e6e12aec1e2b1599dc6838e7ef023ace5b71b45df74449fb811fdf2945aedbe14b09b8983436dd1c05a8400340b0c9f10b493a41ed1c295b24597e686b8bf0a6f2c893dd66382ffcda90fef73d28a39d11517e3c152ce6ddb7473175837d13f6e69e309e8154bd7a6ddf87e074081cea3c6ff7c057361fa0669f67b813d0a3fc580a71071ca40000000c2adc16704e916dc6e781a6789d2b4871186edf973a5c9a40cf1efdf005db32209ff3676e85bc7a249f07f7d48031f976ae8f85b968c73c37d43adda6ad4b58f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086f07204f73e7943a4cab70303cb7f6000000000020000000000106600000001000020000000b75dee63472f04a0b79ec7f6414e6e7f2f61b932ed77430fc3c0daf95af1b886000000000e800000000200002000000083f0a9c6e6312e0f02818e3e177bd0440e6e9027b6feb0faae3dd18a0805286d20000000c08009d9b67cbebfa7c052a07025061d285530671570328f5a3abbfeb17cf7ff40000000abfb051edc5feccd2012bb44a716e6bb94a74ca070c38afa62b25db85c1befe5846a76c7c8d2cf0b8a9e853366cd924a7797a3d1892b3798f8cb5b0653d469f7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72ABFBD1-3675-11EF-9891-EEF45767FDFF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425868221"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2640 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2640 iexplore.exe
2640 iexplore.exe
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE

pid	process
2640	iexplore.exe

pid	process
2640	iexplore.exe
2640	iexplore.exe
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Wave Goodbye.exeiexplore.exe

description	pid	process	target process
PID 1756 wrote to memory of 2640	1756	Wave Goodbye.exe	iexplore.exe
PID 1756 wrote to memory of 2640	1756	Wave Goodbye.exe	iexplore.exe
PID 1756 wrote to memory of 2640	1756	Wave Goodbye.exe	iexplore.exe
PID 2640 wrote to memory of 2600	2640	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 2600	2640	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 2600	2640	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 2600	2640	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/6NNYUEXAR2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
cff64b9e4428e71f99df6ef313b78aef

SHA1
5cb32bfee2783c108cf845a3f4ac86cdb53c4c69

SHA256
55a4d9c9e3c2da4b4102a59e6c27daf75cf6d7a0123f9aeefa95b84cc3446cf5

SHA512
97d2b43e8926d58ad45574096a79cf6a77d416563ecc00bdeb4812f95d78a21cf6dc51dcecfd7a3508e9a55fcfc2aea871fddd92eede6a134318555bc70231ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5b85b3a8713c2ecbafb41a91fa8c9a66

SHA1
7ddf6a46df09d6e3d11a0e4c450ae26adc0b9fc7

SHA256
c161e74c105f07e2552da9d8516ba31b56931089e68edd698c78c354dff03740

SHA512
0bca5a0169e34f7b6b83db15f6aec693f4ec400966d92e4a78dcd334594b3c68ee7d2870ce2727ce419fe1718c1b6e794c6bf6b3cec0f5ec985262665f8bd068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
69ff1bddf66db7917a9155558e1793ba

SHA1
79b16d4080d07d41bf1117d234d9f4b953a8755d

SHA256
87884f875efa28c1d59ffc8bfb1bb22adacb21c26092dfa2a9599a9a88734b79

SHA512
1528ea8b6185eee99a6be192e751dde127c511e28c9be4042c386a69d1e80c5001e446f7e6ea81864c18eacd787f10e5e15f80b329fa82ff8d6d39a3d2f95b57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
99c45f33f679fa8c17f0c681a9f4bbbc

SHA1
62e00f3b4e4a423588b5abf37ccf4508a97dbe13

SHA256
adb7604c8fca9b82a6bc659f586908fac9884bcd2d36bc40927df49ac519ca62

SHA512
36b3d2fd32789f00375af77f671dcb6c1533f0b3b6ca1181aa03b821fb22337915b4266b04af94378f58f0b9fbcaf2ee1508cbff7304c9833b5c15e637a268b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
82e480dd430e2ba65851e87b52d24f5e

SHA1
67db6f3e81c8776aa34eee14fc76a8703373a421

SHA256
5d52d83a73af858baf4c857844502433d0e4b02ef871f6fbe9a2ea572ba52448

SHA512
f229589d395dd70b0246549ae59328d631e123f89addf9191bf0e88df52fb955accb4db4a10592dc39e03faeb291fc81799e4697f88b1e3156d46a3d97c94613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
99ec6fe517b8a03459b02b99014cfa2d

SHA1
5ecd3aff78fb9fe55a2f518c90cf2bf5152aca0e

SHA256
963f00f48e6f843371b518ee0b20c2f73999ab1b934c6596b408fb54f0254a1d

SHA512
c8ca4abcd8712e2d82f4114609ffbd1cf65e2e0efe5ffddfd42d0d6f6b2710fca3c9bfc74a6ac392057ed110e75790cd8fde6d3434ff26e51a94538d4289a442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0111f3561beb18c6e74f0b9bdac57791

SHA1
41cf27bc92fbe4579319d2a7041649984d1ba839

SHA256
cb1d7c343c939df839954ac685841ff1975f84aa002fcf7427c98c2be96ce3a6

SHA512
60d55b510951619396dc1eb516f2ff35dd856c21581d4609a283b6635ed0f2dafa7f8691791b987015980ec890dbb3bf28dafe3ed02e66bb333aa6a0b39b73a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7db67678ebd002162b38ad98eb8d6f7b

SHA1
d7e8afab25f64bf1732c7965281c2cfe11017751

SHA256
6414af8f4944bae5f0e4091d669319fd9aa05450066580b1459540a3f7d68871

SHA512
27529f81f9a844c0d62f89a4ccb87811ca103f6bacdc78ce9777c27dc70d12e977337a39b05eadea088ae19296f704916f84a0cb75ef340e7e61cd943d659c9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ad4ab3c55fae1e0153725dcf1163651b

SHA1
caaafb412c2420cca35a515d494562b81030de61

SHA256
e0e4a72711b614dae4e8bd87341736ba103eedc266b14825f0615c9245dbf736

SHA512
07108133bdda6a7552e0d528c90e4473207a20accc51e735e62b3e8b1ecb21ef0f824e50df04e59d7ddba10b863e847edac3b7a2adfd89fbb3c3c4b22054dff3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1267c4d3bdc0063fa4288d787c775f98

SHA1
21146811dc7f105c2d5a1d706fb9555ac68b3741

SHA256
b799d8b2c46f11a885cf3c8b81f5f9404c1845eed5ce317e40e29e3dc5af1d6a

SHA512
b649008e0bc8da8ddcd066786e113d6157695b0e75909b1123e5c32d0781f132f399ee4a24df9a5890f4823077f0a28cd993db5615267472b38d78059f5a5d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
518eb77bf9b4dd590d7a11a978b6672f

SHA1
d0d45c9382439f115e9067b6d63219d22dd00844

SHA256
7c966ffbbde5eb53be16a50175420192b8b4a0c8fbec325b29767cd6f42f2431

SHA512
d686b8302f3008fa73139e453b8ee220065143608f6924279501975d7986195cb5e625a3f28ba608c908c232a7d7438023001fb1c8db7a372efa7b832328b0e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c28eb8085c5b6add300a1652bb245162

SHA1
3746308718920044b4e6d5c18c3e9146d9171e1e

SHA256
9b6f1da81a2f9c386bdff5373c8a308c0a0d4e125863258137d503999b315f37

SHA512
5d963e3e82d182e183256cac208b3e30b86e80186c1113e7830e7894f070b56ba63c89f22a0dfc0dc34469b1cdca0ce165acd9cbfcfeb7c49ff2cc432dbce2fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d95893f73953f49432ec61e356b36d44

SHA1
8f0476744d0dbbcdc0a63863a94ea570a1c3a652

SHA256
1af1ed6109b1c17a6c4621ffbc4d4bc82b91c2942a76064539d44fdb29ed06d8

SHA512
c46b45c9c1f292c2c9694c2fe2af6053c4a5f357c10b2789ecd058d15be8f2f29d17ace5e1e428c0e0438e89447672561ff1854b3ddd8efc9e5e8671894b36a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bd6087017e58f53a45098c326307b710

SHA1
9020ba7578c7b62d5ae57c5f9be0373e2bbca0ae

SHA256
52e9fc800b61adbee85ff66d42aee2c1dac1d3353314d27cc62fa2e9f6415d78

SHA512
ef3866c95c469b171d5e331c6a8c01b184daa54707fe8d0d2a0b7d810de3a794b5e89beeb478f6b005c5f018b44344947ea06341269340c0c7b78023682c4127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
da1a12064e71c88be47f29348578622e

SHA1
b0531f06f1884d92f94f590ee038e9e01e60f261

SHA256
97a7382dac6395e86398715c96d97338c6c534bed7c7412d2ef21ed4105cb420

SHA512
90b5e332d421f3d3f6f92fa5fedeadd00bf73e3ab407ca1f937e468fa648f062d99f85d3a3159858f6b690a0f5ef216fd559f0ec141fee6ab32d35dc167730a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
284a81a1a207cfb65cb7482013f7fb09

SHA1
287627bf251e155efafc70037ddcdb5f6e6edac0

SHA256
190f708ae920a2efb5155c68e5e6fb309d80ba42128e0fbe3fd5fb4667367cb3

SHA512
df46553268647ce9715680d0b22261b27be1593ac21512e3fda46c49325a75e4a2ac59c6d0f0d09007b7d822cffe23e26adfc1c7f79141ec08a65888ecea862a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
683e90de45563198e2f89e9c947b0beb

SHA1
b94e12588ed56373d09a5723a2051a5ab024eb75

SHA256
986d07d4123d9318cec356a298f7df5013389b73324c11669b97eaa23dbf2810

SHA512
ab8ce7a19af9c0ef03bbc3d8861d9ad2d816985689f1f634fcbee787aa5c166cea295ebfe2236e1584ace98bb7297edbb663ead8d7dd51a1429efd10d43ce995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
51fa43908cb1610bb9ca4aa6debcef1b

SHA1
d387ab4fa31f8e75125688cc7ecff535f7b42818

SHA256
f1c5fcd9e23a3db943a4c72ab8da4e3c50d0ddc347b713851c4e82e8e9abb4a5

SHA512
f652b0bcc25e9d23aba5fa1351bb8d9472c2ec5854fbca67ab5831c26484a77c7d088c5835532f0ad0ab8ced9d5bd8c723b557a1c884e932287c637ad23ca312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
08da765224a175de9223fc640dc6a778

SHA1
6ccbf982ea376fecf5a28e10d90376a723b5d432

SHA256
1191dab241b7ce2cec9f85defa3e7877cd52bb4563f2945eb9d4eb406ab741d2

SHA512
e3b1cde7ed1ff751caa51002901b272e81a0f038f416269b720e636609df48cea98e2fa992be713c8deca9badb6d68830798efe006b57287224c4cbf33efdbff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e3ee8055bb830bd8675f25edefb4e6bf

SHA1
66390b2324d4dd765331f8e9a379f75ef1e178f4

SHA256
f8b253b270ae13b1e545335984ed54e7f87366bf275f8beea5e8ddabb39f14ae

SHA512
a1c672ae71c54e6f8420f6a6afe5a774140c5fd081058150a56e6f9a8daa4a0f9f6676f6085e53d9a302a44d115b0b9995a0291b87f290d2be0d4b73639405d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4ba328bb40a6afa3b9a19b47c2c60efd

SHA1
766139fae1a91ce79ec7ca59c9f108a3bc008966

SHA256
17d006b2fc9ab149f62faeee3d869fb2468690c51685cc9db42befcf733361ef

SHA512
9c4515a3b07759b113752cd7d65fb5353907cbcb34bee7ffae4e1113732103d856e9380288114cf36dfa7157d79caeef365a6e0c0183bc12e47af97065faec37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1cb8e29a42cfa72f3b58dd28f9ffa76c

SHA1
c99c034365780279f6df8a4b9e3c54bee307bbf8

SHA256
1f22baaa1e38ea06546f8bb98acd7c6e6112e8a4e03c97d880d553900bbbc6db

SHA512
ec8994e125bcf875e0fde66986934559cc52cc93ac6088a1d8421e4a52fdda02b7e0f7698e19e2e76e123465a42fb7025eca0914d3321385b72b4593cbff35f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
ea01217afc49c766231fc3672542e70b

SHA1
71cd8b24b024232ec2218deedc2b8fceff133470

SHA256
f32c0099d9ebc145cfd7ae1a370fb9dafb8f5ef9796887ca8918c6379d077643

SHA512
53d77b2cf65334ac00abbf39c13d824b1080488188ea729c10b18e22473ee4079de8ab523cc66a7ac87af328834421441b61b9592ffd14afafb42dabda18bfa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat
Filesize
24KB

MD5
9d3e0d967817bed8a6e85b89c1265420

SHA1
4e375e28c2deecc726862988e789fc7516c4ace8

SHA256
f6afde903709fa03260f11e70bf0db41393d4cd9e5636addf450fec69d6bcb8e

SHA512
44197168f657dbc015525bddf0dd7800df4cdc0a9ecee83335f847d6e903ed81f31185404c2b843e258d3f43ef33ef9c594cc73f662bd09761a2f358086577fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\favicon[1].ico
Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab44C0.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45FF.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1756-129-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1756-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1756-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1756-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1756-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1756-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1756-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/1756-1-0x00000000771B0000-0x00000000771B2000-memory.dmp

Filesize
8KB

Download