ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
55s
max time network
56s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe
Drops file in Drivers directory 1 IoCs

Processes:

Wave Goodbye.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2872-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-7-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-110-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-583-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-586-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2872-587-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

16 discord.com
17 discord.com
18 discord.com
19 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wave Goodbye.exe

pid process

2872 Wave Goodbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

flow	ioc
16	discord.com
17	discord.com
18	discord.com
19	discord.com

pid	process
2872	Wave Goodbye.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004c3f93696a68914399711b998b60be79000000000200000000001066000000010000200000004bbad4b4eb59ed3ceda779e4e8cb4d369714018a3903579c5d4c49a764d85e07000000000e8000000002000020000000e9233bbbda0e1268a8efbe8f3671dce6d6983823f77c39c382bbf33c1577e50990000000a7322f4ac79117bb7da314348618b4c91fad9d96a45ce9ed44d36ad487f93926ba0a1d356a1f5fb691b7537451540e7303bf960951c6eb3866e3a9e2299b8de12f3f544f1943e5e6fdeab9875e64f4d72c262697a1490c42b8f23a966ee02d9ed3d746dc0faf9009c6d19b2f3401b9f949d4ba74081f1c770c25347a0e4f097176d1eaff437294c376f93a9b7c395cc6400000002d08bf446fcec5ec529de3e0be36a3fc5e647bb7dadfc426e1e482b28d790e69e4bd68f503e1c404185a0f7ee85fa7396ede64e6674f1c15b2fef5e0d1ecea64	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE66F681-368D-11EF-8F92-565622222C98} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50151bd49acada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004c3f93696a68914399711b998b60be7900000000020000000000106600000001000020000000835734964b081a213b031d5f663cfaefcce181430ccf3c405a0c62b5aa8a7887000000000e8000000002000020000000dd587fd3c3edd89c449a5d7917e33b70e5fab47baa5a890a753af76f73ed37ff2000000050c840dabac6a88c3bc2e7d322f803c69668551f83c45c07fb56b9ebf616586440000000b0b005b7eaaf4f1be0c201f2493c4b006e924d0e362d00245c0116aa6d9aecafa0f06488d41e410b42688ba0b1142dfd5a07cbe4cb3b6616e3e5f29a1ae9fec1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wave Goodbye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	Wave Goodbye.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d	Wave Goodbye.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	Wave Goodbye.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2492 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2492 iexplore.exe
2492 iexplore.exe
2548 IEXPLORE.EXE
2548 IEXPLORE.EXE
2548 IEXPLORE.EXE
2548 IEXPLORE.EXE
2492 iexplore.exe

pid	process
2492	iexplore.exe

pid	process
2492	iexplore.exe
2492	iexplore.exe
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE
2492	iexplore.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Wave Goodbye.exeiexplore.exe

description	pid	process	target process
PID 2872 wrote to memory of 2492	2872	Wave Goodbye.exe	iexplore.exe
PID 2872 wrote to memory of 2492	2872	Wave Goodbye.exe	iexplore.exe
PID 2872 wrote to memory of 2492	2872	Wave Goodbye.exe	iexplore.exe
PID 2492 wrote to memory of 2548	2492	iexplore.exe	IEXPLORE.EXE
PID 2492 wrote to memory of 2548	2492	iexplore.exe	IEXPLORE.EXE
PID 2492 wrote to memory of 2548	2492	iexplore.exe	IEXPLORE.EXE
PID 2492 wrote to memory of 2548	2492	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/6NNYUEXAR2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5b23a620e126bec8d665dec8903e27a8

SHA1
be8c71e8a1692cfe71c539bd82dfd71f92eb73a3

SHA256
df72c8e631542052dc1a5250723c594031b6462c25ac7d57ad63ba9de5e20281

SHA512
38cfc62a564ee415a790799926c8d4f2631b6a7a6d3387792fa330b390bed19c1f5e630d7389f65a17bc4cf7358d83fcf640ccdacf400ac76f24b48d3eb0dd34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
307175572f41bac3317f84155f239315

SHA1
3df53e2e3f4cc754c30a751edb06d4aefd203dd9

SHA256
9a6c9cf1804fadedc8186de6ebb63db1fee8fffafdf2fc678412e67de6476118

SHA512
421de291c891a40e741299131078c5760bf80e3578770931cdc5d272b2c43ea2e523df9f80624bb0074ebae1ca79c8236ac3da39246635e1b41fe2c4b3fcaca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bcffe66068aa82a25c293196b992cb6c

SHA1
3767246d9875e8b3c0fafd3244bf18d6057a6b4e

SHA256
0e04d4042f4a9ae584358c7f979aad5c90f8298381e395daff16c083eb4151b9

SHA512
26f301862546894a95358c235170b59a2115bdbe821ed94fc464fea21dbf2f277145f853f45ac1fcc63ac0c89d0d9ae078095d8a2217f7d3efe39933b7b92060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
96bcfd7c31452b40366d2f234b1a8f56

SHA1
3465728beb0a28ae8aa7d1f44607db6de62737b5

SHA256
9d37deb838f3b4b11e3d40ed35f711d3aa12c6040851f998213dc327d4bade3c

SHA512
27c5065bdb1c23f2f26f9698a3be49bf3bd8a974da9a12ab598e901d5d116702607f7333309e0d3b8082d891d6fce2b0ffb4ad90771d6e50678463194302afc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ba2c374755ffc1de5d1705c3d763d283

SHA1
133e06c524b6f8ceef750eb44bae003be6b7863b

SHA256
bdbd7f8cee6f20bd0c60a8355cb9ecc370e33d4df7e4cc6f91edcb96d4638004

SHA512
3dfd79fba064f6cf8e66431d589529f11e0bc09fb7013f00279e4a1b26934be69642ee0c5291c0859d52e1c0bbea9d22c3d6e556b07b64d0eeac645e359aa1f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3f2f60bc40436b98ca993d72d1fd46eb

SHA1
bcd91b71643879b5ed6297412f6c28824a1f0c1d

SHA256
1e8c4735edf32cac63c97d10bd01b62b28dfb4615417decc6e89ca2be76d0579

SHA512
b164e4727825160eb6061eba003fa1c9cf23105882f67e003b1b13eb183f048c472c5f41a345ae2473cf5f6a7589a891313cbcd8bd71835f5d9d945c16e86eb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
54ab7848497a205bd2f3781cdb0baa39

SHA1
d210f9d5e9eb48db9242f8698d2deb96f0724a8b

SHA256
394169e9af65bc84bee1377f9bf57b6086287f483c161f3c5aabecea5b308394

SHA512
8ebb5dd21213b3885cd638bc9c40a80a5ac511f890c22d4810ade91ea8792f066896df01acbd3734980fac37a9e34ebb0f5862b26055a9dae7b128cd7139ee7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6b3638c073138c95060f9cab80f6ad73

SHA1
83d87b9869737d56b82bb5ba220cb1df94373ff4

SHA256
0cc0a54a6752c1bf80107ac36d43cba24ee25ab47554cb1689d803dc9eb0e152

SHA512
58ec33b7797838ea878494a6460a7d385b9c9452391e43b5acd06bc2786eecb49eb658cf0ba57d7eea3281d38b418d9bafe518e21596857df66ae8498165a896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ae66c857922ab3a8b3034893efa65d18

SHA1
729f49946934c1f4fb56bdf7f3ff51028b3438a3

SHA256
2091957179ce894f73ea31e12cf2944d50fd5f9600c67f07826fb0313bbd3ede

SHA512
b67c73540ee8b8a3721898944f426841ca47c8085276c9a9148e4354e08d155987b9295e72d221092daf73165c85c8ee5a10394a5d82957a78483a419c0a3ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
56fe6f4c79d0c02ff0c6f28bdc424e23

SHA1
5aeacd788af8c5b1a8f320a88cd33c61dbc0115c

SHA256
f785f79de2baf2b9882fc9c4f383fb8acab1609592ebfdaf07f3a523b03137b4

SHA512
f6307867f0b2de3d9d67fdcd1e465e47828844dbc6ec36c2dd1a5969e73abbb8b21819c4002ae01e415efbc5478227ea8e9f630e1f79212f7f02aa4c5921c2d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5eb0d715389585f8f86831310a916d1d

SHA1
182f193244a097ec46e5b74237cae4e8c1a4fc92

SHA256
46277e711c74ac3c23d92d56acfce5ebe84d19a3d071a3e7c37a92d1626ff184

SHA512
d8919d304d06aa4c19a415db6cc8bcd262357b70b3fb2d71dde4d9a2cc098681ffd3f27234d9314afb69238d0dd3a7b1302848a5e372e493ef3ac2f5bd9b1076

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7d349212f841028414222380298087ae

SHA1
bad020ae55e564533665355e983dc823d8554bb6

SHA256
3289c672571bd831587d5a43e31b31348053f69e85b87cdcb7b2d8592b7adfc5

SHA512
749009a776cbbc38bc0319a296af54e28599a344540589af94f45566cd9e570128ce7eaa84683e4bc86b692c7f3846b8bd224f94fccea77930acc3ae5eac47f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat
Filesize
24KB

MD5
652538fbcc09f588a6bb9c516c0a0902

SHA1
4987c6357dd49eab95f60d25e956db60d2085bcf

SHA256
35f7aad9f0ffa8c87af3f8c800766abfaaa932b2e46394529cd2c2b5bb32b5ac

SHA512
fc4d62f010bbc19f8f6e5b5d81128154be9677de1e7a5fe9cfc57a8b1563b0acb1a9cc4c12102b06c08b28bb302adfb8a9cd246deab285692609bd7e599cf374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\favicon[1].ico
Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5F30.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6033.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2872-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-110-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-7-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-1-0x0000000077460000-0x0000000077462000-memory.dmp

Filesize
8KB

Download
memory/2872-583-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-586-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2872-587-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download